diff --git a/.env.example b/.env.example
index 9864a4148209..552e59e2e0a3 100644
--- a/.env.example
+++ b/.env.example
@@ -511,6 +511,10 @@ OPENID_AUTO_REDIRECT=false
 OPENID_USE_PKCE=false
 #Set to true to reuse openid tokens for authentication management instead of using the mongodb session and the custom refresh token.
 OPENID_REUSE_TOKENS=
+# Set to true to expose a JWT-signed cookie containing the OpenID `sub` claim with sameSite=lax.
+# This enables cross-origin OAuth callback flows (e.g., AWS Bedrock AgentCore 3LO).
+# Can be used independently of OPENID_REUSE_TOKENS.
+OPENID_EXPOSE_SUB_COOKIE=
 #By default, signing key verification results are cached in order to prevent excessive HTTP requests to the JWKS endpoint.
 #If a signing key matching the kid is found, this will be cached and the next time this kid is requested the signing key will be served from the cache.
 #Default is true.
diff --git a/api/cache/getLogStores.js b/api/cache/getLogStores.js
index 40aac08ee633..59406899575b 100644
--- a/api/cache/getLogStores.js
+++ b/api/cache/getLogStores.js
@@ -51,6 +51,10 @@ const namespaces = {
     CacheKeys.OPENID_EXCHANGED_TOKENS,
     Time.TEN_MINUTES,
   ),
+  [CacheKeys.ADMIN_OAUTH_EXCHANGE]: standardCache(
+    CacheKeys.ADMIN_OAUTH_EXCHANGE,
+    Time.THIRTY_SECONDS,
+  ),
 };
 
 /**
diff --git a/api/models/Agent.js b/api/models/Agent.js
index 11789ca63b05..663285183a4b 100644
--- a/api/models/Agent.js
+++ b/api/models/Agent.js
@@ -589,10 +589,16 @@ const deleteAgent = async (searchParameter) => {
   const agent = await Agent.findOneAndDelete(searchParameter);
   if (agent) {
     await removeAgentFromAllProjects(agent.id);
-    await removeAllPermissions({
-      resourceType: ResourceType.AGENT,
-      resourceId: agent._id,
-    });
+    await Promise.all([
+      removeAllPermissions({
+        resourceType: ResourceType.AGENT,
+        resourceId: agent._id,
+      }),
+      removeAllPermissions({
+        resourceType: ResourceType.REMOTE_AGENT,
+        resourceId: agent._id,
+      }),
+    ]);
     try {
       await Agent.updateMany({ 'edges.to': agent.id }, { $pull: { edges: { to: agent.id } } });
     } catch (error) {
@@ -631,7 +637,7 @@ const deleteUserAgents = async (userId) => {
     }
 
     await AclEntry.deleteMany({
-      resourceType: ResourceType.AGENT,
+      resourceType: { $in: [ResourceType.AGENT, ResourceType.REMOTE_AGENT] },
       resourceId: { $in: agentObjectIds },
     });
 
diff --git a/api/models/File.js b/api/models/File.js
index 5e90c86fe4b5..1a01ef12f97e 100644
--- a/api/models/File.js
+++ b/api/models/File.js
@@ -26,7 +26,8 @@ const getFiles = async (filter, _sortOptions, selectFields = { text: 0 }) => {
 };
 
 /**
- * Retrieves tool files (files that are embedded or have a fileIdentifier) from an array of file IDs
+ * Retrieves tool files (files that are embedded or have a fileIdentifier) from an array of file IDs.
+ * Note: execute_code files are handled separately by getCodeGeneratedFiles.
  * @param {string[]} fileIds - Array of file_id strings to search for
  * @param {Set<EToolResources>} toolResourceSet - Optional filter for tool resources
  * @returns {Promise<Array<MongoFile>>} Files that match the criteria
@@ -37,21 +38,25 @@ const getToolFilesByIds = async (fileIds, toolResourceSet) => {
   }
 
   try {
-    const filter = {
-      file_id: { $in: fileIds },
-      $or: [],
-    };
+    const orConditions = [];
 
     if (toolResourceSet.has(EToolResources.context)) {
-      filter.$or.push({ text: { $exists: true, $ne: null }, context: FileContext.agents });
+      orConditions.push({ text: { $exists: true, $ne: null }, context: FileContext.agents });
     }
     if (toolResourceSet.has(EToolResources.file_search)) {
-      filter.$or.push({ embedded: true });
+      orConditions.push({ embedded: true });
     }
-    if (toolResourceSet.has(EToolResources.execute_code)) {
-      filter.$or.push({ 'metadata.fileIdentifier': { $exists: true } });
+
+    if (orConditions.length === 0) {
+      return [];
     }
 
+    const filter = {
+      file_id: { $in: fileIds },
+      context: { $ne: FileContext.execute_code }, // Exclude code-generated files
+      $or: orConditions,
+    };
+
     const selectFields = { text: 0 };
     const sortOptions = { updatedAt: -1 };
 
@@ -62,6 +67,70 @@ const getToolFilesByIds = async (fileIds, toolResourceSet) => {
   }
 };
 
+/**
+ * Retrieves files generated by code execution for a given conversation.
+ * These files are stored locally with fileIdentifier metadata for code env re-upload.
+ * @param {string} conversationId - The conversation ID to search for
+ * @param {string[]} [messageIds] - Optional array of messageIds to filter by (for linear thread filtering)
+ * @returns {Promise<Array<MongoFile>>} Files generated by code execution in the conversation
+ */
+const getCodeGeneratedFiles = async (conversationId, messageIds) => {
+  if (!conversationId) {
+    return [];
+  }
+
+  /** messageIds are required for proper thread filtering of code-generated files */
+  if (!messageIds || messageIds.length === 0) {
+    return [];
+  }
+
+  try {
+    const filter = {
+      conversationId,
+      context: FileContext.execute_code,
+      messageId: { $exists: true, $in: messageIds },
+      'metadata.fileIdentifier': { $exists: true },
+    };
+
+    const selectFields = { text: 0 };
+    const sortOptions = { createdAt: 1 };
+
+    return await getFiles(filter, sortOptions, selectFields);
+  } catch (error) {
+    logger.error('[getCodeGeneratedFiles] Error retrieving code generated files:', error);
+    return [];
+  }
+};
+
+/**
+ * Retrieves user-uploaded execute_code files (not code-generated) by their file IDs.
+ * These are files with fileIdentifier metadata but context is NOT execute_code (e.g., agents or message_attachment).
+ * File IDs should be collected from message.files arrays in the current thread.
+ * @param {string[]} fileIds - Array of file IDs to fetch (from message.files in the thread)
+ * @returns {Promise<Array<MongoFile>>} User-uploaded execute_code files
+ */
+const getUserCodeFiles = async (fileIds) => {
+  if (!fileIds || fileIds.length === 0) {
+    return [];
+  }
+
+  try {
+    const filter = {
+      file_id: { $in: fileIds },
+      context: { $ne: FileContext.execute_code },
+      'metadata.fileIdentifier': { $exists: true },
+    };
+
+    const selectFields = { text: 0 };
+    const sortOptions = { createdAt: 1 };
+
+    return await getFiles(filter, sortOptions, selectFields);
+  } catch (error) {
+    logger.error('[getUserCodeFiles] Error retrieving user code files:', error);
+    return [];
+  }
+};
+
 /**
  * Creates a new file with a TTL of 1 hour.
  * @param {MongoFile} data - The file data to be created, must contain file_id.
@@ -169,6 +238,8 @@ module.exports = {
   findFileById,
   getFiles,
   getToolFilesByIds,
+  getCodeGeneratedFiles,
+  getUserCodeFiles,
   createFile,
   updateFile,
   updateFileUsage,
diff --git a/api/package.json b/api/package.json
index ab0e5130bc69..8916a8487056 100644
--- a/api/package.json
+++ b/api/package.json
@@ -36,7 +36,7 @@
   "dependencies": {
     "@anthropic-ai/sdk": "^0.71.0",
     "@anthropic-ai/vertex-sdk": "^0.14.0",
-    "@aws-sdk/client-bedrock-runtime": "^3.941.0",
+    "@aws-sdk/client-bedrock-runtime": "^3.970.0",
     "@aws-sdk/client-s3": "^3.758.0",
     "@aws-sdk/s3-request-presigner": "^3.758.0",
     "@azure/identity": "^4.7.0",
@@ -45,7 +45,7 @@
     "@google/genai": "^1.19.0",
     "@keyv/redis": "^4.3.3",
     "@langchain/core": "^0.3.80",
-    "@librechat/agents": "^3.0.776",
+    "@librechat/agents": "^3.1.0",
     "@librechat/api": "*",
     "@librechat/data-schemas": "*",
     "@microsoft/microsoft-graph-client": "^3.0.7",
diff --git a/api/server/controllers/PermissionsController.js b/api/server/controllers/PermissionsController.js
index e22e9532c91b..51993d083c3c 100644
--- a/api/server/controllers/PermissionsController.js
+++ b/api/server/controllers/PermissionsController.js
@@ -5,6 +5,7 @@
 const mongoose = require('mongoose');
 const { logger } = require('@librechat/data-schemas');
 const { ResourceType, PrincipalType, PermissionBits } = require('librechat-data-provider');
+const { enrichRemoteAgentPrincipals, backfillRemoteAgentPermissions } = require('@librechat/api');
 const {
   bulkUpdateResourcePermissions,
   ensureGroupPrincipalExists,
@@ -14,7 +15,6 @@ const {
   findAccessibleResources,
   getResourcePermissionsMap,
 } = require('~/server/services/PermissionService');
-const { AclEntry } = require('~/db/models');
 const {
   searchPrincipals: searchLocalPrincipals,
   sortPrincipalsByRelevance,
@@ -24,6 +24,7 @@ const {
   entraIdPrincipalFeatureEnabled,
   searchEntraIdPrincipals,
 } = require('~/server/services/GraphApiService');
+const { AclEntry, AccessRole } = require('~/db/models');
 
 /**
  * Generic controller for resource permission endpoints
@@ -234,7 +235,7 @@ const getResourcePermissions = async (req, res) => {
       },
     ]);
 
-    const principals = [];
+    let principals = [];
     let publicPermission = null;
 
     // Process aggregation results
@@ -280,6 +281,13 @@ const getResourcePermissions = async (req, res) => {
       }
     }
 
+    if (resourceType === ResourceType.REMOTE_AGENT) {
+      const enricherDeps = { AclEntry, AccessRole, logger };
+      const enrichResult = await enrichRemoteAgentPrincipals(enricherDeps, resourceId, principals);
+      principals = enrichResult.principals;
+      backfillRemoteAgentPermissions(enricherDeps, resourceId, enrichResult.entriesToBackfill);
+    }
+
     // Return response in format expected by frontend
     const response = {
       resourceType,
diff --git a/api/server/controllers/UserController.js b/api/server/controllers/UserController.js
index b0cfd7ede27c..0f17b4d3a975 100644
--- a/api/server/controllers/UserController.js
+++ b/api/server/controllers/UserController.js
@@ -22,6 +22,7 @@ const {
 } = require('~/models');
 const {
   ConversationTag,
+  AgentApiKey,
   Transaction,
   MemoryEntry,
   Assistant,
@@ -256,6 +257,7 @@ const deleteUserController = async (req, res) => {
     await deleteFiles(null, user.id); // delete database files in case of orphaned files from previous steps
     await deleteToolCalls(user.id); // delete user tool calls
     await deleteUserAgents(user.id); // delete user agents
+    await AgentApiKey.deleteMany({ user: user._id }); // delete user agent API keys
     await Assistant.deleteMany({ user: user.id }); // delete user assistants
     await ConversationTag.deleteMany({ user: user.id }); // delete user conversation tags
     await MemoryEntry.deleteMany({ userId: user.id }); // delete user memory entries
diff --git a/api/server/controllers/agents/__tests__/callbacks.spec.js b/api/server/controllers/agents/__tests__/callbacks.spec.js
index 7922c31efabb..103f9f3236ae 100644
--- a/api/server/controllers/agents/__tests__/callbacks.spec.js
+++ b/api/server/controllers/agents/__tests__/callbacks.spec.js
@@ -16,9 +16,7 @@ jest.mock('@librechat/data-schemas', () => ({
 }));
 
 jest.mock('@librechat/agents', () => ({
-  EnvVar: { CODE_API_KEY: 'CODE_API_KEY' },
-  Providers: { GOOGLE: 'google' },
-  GraphEvents: {},
+  ...jest.requireActual('@librechat/agents'),
   getMessageId: jest.fn(),
   ToolEndHandler: jest.fn(),
   handleToolCalls: jest.fn(),
diff --git a/api/server/controllers/agents/callbacks.js b/api/server/controllers/agents/callbacks.js
index 0d2a7bc31760..c27f89fdf80d 100644
--- a/api/server/controllers/agents/callbacks.js
+++ b/api/server/controllers/agents/callbacks.js
@@ -1,6 +1,7 @@
 const { nanoid } = require('nanoid');
-const { sendEvent, GenerationJobManager } = require('@librechat/api');
+const { Constants } = require('@librechat/agents');
 const { logger } = require('@librechat/data-schemas');
+const { sendEvent, GenerationJobManager, writeAttachmentEvent } = require('@librechat/api');
 const { Tools, StepTypes, FileContext, ErrorTypes } = require('librechat-data-provider');
 const {
   EnvVar,
@@ -441,10 +442,10 @@ function createToolEndCallback({ req, res, artifactPromises, streamId = null })
       return;
     }
 
-    {
-      if (output.name !== Tools.execute_code) {
-        return;
-      }
+    const isCodeTool =
+      output.name === Tools.execute_code || output.name === Constants.PROGRAMMATIC_TOOL_CALLING;
+    if (!isCodeTool) {
+      return;
     }
 
     if (!output.artifact.files) {
@@ -488,7 +489,226 @@ function createToolEndCallback({ req, res, artifactPromises, streamId = null })
   };
 }
 
+/**
+ * Helper to write attachment events in Open Responses format (librechat:attachment)
+ * @param {ServerResponse} res - The server response object
+ * @param {Object} tracker - The response tracker with sequence number
+ * @param {Object} attachment - The attachment data
+ * @param {Object} metadata - Additional metadata (messageId, conversationId)
+ */
+function writeResponsesAttachment(res, tracker, attachment, metadata) {
+  const sequenceNumber = tracker.nextSequence();
+  writeAttachmentEvent(res, sequenceNumber, attachment, {
+    messageId: metadata.run_id,
+    conversationId: metadata.thread_id,
+  });
+}
+
+/**
+ * Creates a tool end callback specifically for the Responses API.
+ * Emits attachments as `librechat:attachment` events per the Open Responses extension spec.
+ *
+ * @param {Object} params
+ * @param {ServerRequest} params.req
+ * @param {ServerResponse} params.res
+ * @param {Object} params.tracker - Response tracker with sequence number
+ * @param {Promise<MongoFile | { filename: string; filepath: string; expires: number;} | null>[]} params.artifactPromises
+ * @returns {ToolEndCallback} The tool end callback.
+ */
+function createResponsesToolEndCallback({ req, res, tracker, artifactPromises }) {
+  /**
+   * @type {ToolEndCallback}
+   */
+  return async (data, metadata) => {
+    const output = data?.output;
+    if (!output) {
+      return;
+    }
+
+    if (!output.artifact) {
+      return;
+    }
+
+    if (output.artifact[Tools.file_search]) {
+      artifactPromises.push(
+        (async () => {
+          const user = req.user;
+          const attachment = await processFileCitations({
+            user,
+            metadata,
+            appConfig: req.config,
+            toolArtifact: output.artifact,
+            toolCallId: output.tool_call_id,
+          });
+          if (!attachment) {
+            return null;
+          }
+          // For Responses API, emit attachment during streaming
+          if (res.headersSent && !res.writableEnded) {
+            writeResponsesAttachment(res, tracker, attachment, metadata);
+          }
+          return attachment;
+        })().catch((error) => {
+          logger.error('Error processing file citations:', error);
+          return null;
+        }),
+      );
+    }
+
+    if (output.artifact[Tools.ui_resources]) {
+      artifactPromises.push(
+        (async () => {
+          const attachment = {
+            type: Tools.ui_resources,
+            toolCallId: output.tool_call_id,
+            [Tools.ui_resources]: output.artifact[Tools.ui_resources].data,
+          };
+          // For Responses API, always emit attachment during streaming
+          if (res.headersSent && !res.writableEnded) {
+            writeResponsesAttachment(res, tracker, attachment, metadata);
+          }
+          return attachment;
+        })().catch((error) => {
+          logger.error('Error processing artifact content:', error);
+          return null;
+        }),
+      );
+    }
+
+    if (output.artifact[Tools.web_search]) {
+      artifactPromises.push(
+        (async () => {
+          const attachment = {
+            type: Tools.web_search,
+            toolCallId: output.tool_call_id,
+            [Tools.web_search]: { ...output.artifact[Tools.web_search] },
+          };
+          // For Responses API, always emit attachment during streaming
+          if (res.headersSent && !res.writableEnded) {
+            writeResponsesAttachment(res, tracker, attachment, metadata);
+          }
+          return attachment;
+        })().catch((error) => {
+          logger.error('Error processing artifact content:', error);
+          return null;
+        }),
+      );
+    }
+
+    if (output.artifact.content) {
+      /** @type {FormattedContent[]} */
+      const content = output.artifact.content;
+      for (let i = 0; i < content.length; i++) {
+        const part = content[i];
+        if (!part) {
+          continue;
+        }
+        if (part.type !== 'image_url') {
+          continue;
+        }
+        const { url } = part.image_url;
+        artifactPromises.push(
+          (async () => {
+            const filename = `${output.name}_img_${nanoid()}`;
+            const file_id = output.artifact.file_ids?.[i];
+            const file = await saveBase64Image(url, {
+              req,
+              file_id,
+              filename,
+              endpoint: metadata.provider,
+              context: FileContext.image_generation,
+            });
+            const fileMetadata = Object.assign(file, {
+              toolCallId: output.tool_call_id,
+            });
+
+            if (!fileMetadata) {
+              return null;
+            }
+
+            // For Responses API, emit attachment during streaming
+            if (res.headersSent && !res.writableEnded) {
+              const attachment = {
+                file_id: fileMetadata.file_id,
+                filename: fileMetadata.filename,
+                type: fileMetadata.type,
+                url: fileMetadata.filepath,
+                width: fileMetadata.width,
+                height: fileMetadata.height,
+                tool_call_id: output.tool_call_id,
+              };
+              writeResponsesAttachment(res, tracker, attachment, metadata);
+            }
+
+            return fileMetadata;
+          })().catch((error) => {
+            logger.error('Error processing artifact content:', error);
+            return null;
+          }),
+        );
+      }
+      return;
+    }
+
+    const isCodeTool =
+      output.name === Tools.execute_code || output.name === Constants.PROGRAMMATIC_TOOL_CALLING;
+    if (!isCodeTool) {
+      return;
+    }
+
+    if (!output.artifact.files) {
+      return;
+    }
+
+    for (const file of output.artifact.files) {
+      const { id, name } = file;
+      artifactPromises.push(
+        (async () => {
+          const result = await loadAuthValues({
+            userId: req.user.id,
+            authFields: [EnvVar.CODE_API_KEY],
+          });
+          const fileMetadata = await processCodeOutput({
+            req,
+            id,
+            name,
+            apiKey: result[EnvVar.CODE_API_KEY],
+            messageId: metadata.run_id,
+            toolCallId: output.tool_call_id,
+            conversationId: metadata.thread_id,
+            session_id: output.artifact.session_id,
+          });
+
+          if (!fileMetadata) {
+            return null;
+          }
+
+          // For Responses API, emit attachment during streaming
+          if (res.headersSent && !res.writableEnded) {
+            const attachment = {
+              file_id: fileMetadata.file_id,
+              filename: fileMetadata.filename,
+              type: fileMetadata.type,
+              url: fileMetadata.filepath,
+              width: fileMetadata.width,
+              height: fileMetadata.height,
+              tool_call_id: output.tool_call_id,
+            };
+            writeResponsesAttachment(res, tracker, attachment, metadata);
+          }
+
+          return fileMetadata;
+        })().catch((error) => {
+          logger.error('Error processing code output:', error);
+          return null;
+        }),
+      );
+    }
+  };
+}
+
 module.exports = {
   getDefaultHandlers,
   createToolEndCallback,
+  createResponsesToolEndCallback,
 };
diff --git a/api/server/controllers/agents/client.js b/api/server/controllers/agents/client.js
index 35cf7de784fe..0977f3468326 100644
--- a/api/server/controllers/agents/client.js
+++ b/api/server/controllers/agents/client.js
@@ -649,6 +649,7 @@ class AgentClient extends BaseClient {
         updateFilesUsage: db.updateFilesUsage,
         getUserKeyValues: db.getUserKeyValues,
         getToolFilesByIds: db.getToolFilesByIds,
+        getCodeGeneratedFiles: db.getCodeGeneratedFiles,
       },
     );
 
@@ -1028,6 +1029,7 @@ class AgentClient extends BaseClient {
 
         run = await createRun({
           agents,
+          messages,
           indexTokenCountMap,
           runId: this.responseMessageId,
           signal: abortController.signal,
diff --git a/api/server/controllers/agents/openai.js b/api/server/controllers/agents/openai.js
new file mode 100644
index 000000000000..331179c7f468
--- /dev/null
+++ b/api/server/controllers/agents/openai.js
@@ -0,0 +1,660 @@
+const { nanoid } = require('nanoid');
+const { logger } = require('@librechat/data-schemas');
+const { EModelEndpoint, ResourceType, PermissionBits } = require('librechat-data-provider');
+const {
+  Callback,
+  ToolEndHandler,
+  formatAgentMessages,
+  ChatModelStreamHandler,
+} = require('@librechat/agents');
+const {
+  writeSSE,
+  createRun,
+  createChunk,
+  sendFinalChunk,
+  createSafeUser,
+  validateRequest,
+  initializeAgent,
+  createErrorResponse,
+  buildNonStreamingResponse,
+  createOpenAIStreamTracker,
+  createOpenAIContentAggregator,
+  isChatCompletionValidationFailure,
+} = require('@librechat/api');
+const { createToolEndCallback } = require('~/server/controllers/agents/callbacks');
+const { findAccessibleResources } = require('~/server/services/PermissionService');
+const { loadAgentTools } = require('~/server/services/ToolService');
+const { getConvoFiles } = require('~/models/Conversation');
+const { getAgent, getAgents } = require('~/models/Agent');
+const db = require('~/models');
+
+/**
+ * Creates a tool loader function for the agent.
+ * @param {AbortSignal} signal - The abort signal
+ */
+function createToolLoader(signal) {
+  return async function loadTools({
+    req,
+    res,
+    tools,
+    model,
+    agentId,
+    provider,
+    tool_options,
+    tool_resources,
+  }) {
+    const agent = { id: agentId, tools, provider, model, tool_options };
+    try {
+      return await loadAgentTools({
+        req,
+        res,
+        agent,
+        signal,
+        tool_resources,
+        streamId: null, // No resumable stream for OpenAI compat
+      });
+    } catch (error) {
+      logger.error('Error loading tools for agent ' + agentId, error);
+    }
+  };
+}
+
+/**
+ * Convert content part to internal format
+ * @param {Object} part - Content part
+ * @returns {Object} Converted part
+ */
+function convertContentPart(part) {
+  if (part.type === 'text') {
+    return { type: 'text', text: part.text };
+  }
+  if (part.type === 'image_url') {
+    return { type: 'image_url', image_url: part.image_url };
+  }
+  return part;
+}
+
+/**
+ * Convert OpenAI messages to internal format
+ * @param {Array} messages - OpenAI format messages
+ * @returns {Array} Internal format messages
+ */
+function convertMessages(messages) {
+  return messages.map((msg) => {
+    let content;
+    if (typeof msg.content === 'string') {
+      content = msg.content;
+    } else if (msg.content) {
+      content = msg.content.map(convertContentPart);
+    } else {
+      content = '';
+    }
+
+    return {
+      role: msg.role,
+      content,
+      ...(msg.name && { name: msg.name }),
+      ...(msg.tool_calls && { tool_calls: msg.tool_calls }),
+      ...(msg.tool_call_id && { tool_call_id: msg.tool_call_id }),
+    };
+  });
+}
+
+/**
+ * Send an error response in OpenAI format
+ */
+function sendErrorResponse(res, statusCode, message, type = 'invalid_request_error', code = null) {
+  res.status(statusCode).json(createErrorResponse(message, type, code));
+}
+
+/**
+ * OpenAI-compatible chat completions controller for agents.
+ *
+ * POST /v1/chat/completions
+ *
+ * Request format:
+ * {
+ *   "model": "agent_id_here",
+ *   "messages": [{"role": "user", "content": "Hello!"}],
+ *   "stream": true,
+ *   "conversation_id": "optional",
+ *   "parent_message_id": "optional"
+ * }
+ */
+const OpenAIChatCompletionController = async (req, res) => {
+  const appConfig = req.config;
+
+  // Validate request
+  const validation = validateRequest(req.body);
+  if (isChatCompletionValidationFailure(validation)) {
+    return sendErrorResponse(res, 400, validation.error);
+  }
+
+  const request = validation.request;
+  const agentId = request.model;
+
+  // Look up the agent
+  const agent = await getAgent({ id: agentId });
+  if (!agent) {
+    return sendErrorResponse(
+      res,
+      404,
+      `Agent not found: ${agentId}`,
+      'invalid_request_error',
+      'model_not_found',
+    );
+  }
+
+  // Generate IDs
+  const requestId = `chatcmpl-${nanoid()}`;
+  const conversationId = request.conversation_id ?? nanoid();
+  const parentMessageId = request.parent_message_id ?? null;
+  const created = Math.floor(Date.now() / 1000);
+
+  const context = {
+    created,
+    requestId,
+    model: agentId,
+  };
+
+  // Set up abort controller
+  const abortController = new AbortController();
+
+  // Handle client disconnect
+  req.on('close', () => {
+    if (!abortController.signal.aborted) {
+      abortController.abort();
+      logger.debug('[OpenAI API] Client disconnected, aborting');
+    }
+  });
+
+  try {
+    // Build allowed providers set
+    const allowedProviders = new Set(
+      appConfig?.endpoints?.[EModelEndpoint.agents]?.allowedProviders,
+    );
+
+    // Create tool loader
+    const loadTools = createToolLoader(abortController.signal);
+
+    // Initialize the agent first to check for disableStreaming
+    const endpointOption = {
+      endpoint: agent.provider,
+      model_parameters: agent.model_parameters ?? {},
+    };
+
+    const primaryConfig = await initializeAgent(
+      {
+        req,
+        res,
+        loadTools,
+        requestFiles: [],
+        conversationId,
+        parentMessageId,
+        agent,
+        endpointOption,
+        allowedProviders,
+        isInitialAgent: true,
+      },
+      {
+        getConvoFiles,
+        getFiles: db.getFiles,
+        getUserKey: db.getUserKey,
+        getMessages: db.getMessages,
+        updateFilesUsage: db.updateFilesUsage,
+        getUserKeyValues: db.getUserKeyValues,
+        getUserCodeFiles: db.getUserCodeFiles,
+        getToolFilesByIds: db.getToolFilesByIds,
+        getCodeGeneratedFiles: db.getCodeGeneratedFiles,
+      },
+    );
+
+    // Determine if streaming is enabled (check both request and agent config)
+    const streamingDisabled = !!primaryConfig.model_parameters?.disableStreaming;
+    const isStreaming = request.stream === true && !streamingDisabled;
+
+    // Create tracker for streaming or aggregator for non-streaming
+    const tracker = isStreaming ? createOpenAIStreamTracker() : null;
+    const aggregator = isStreaming ? null : createOpenAIContentAggregator();
+
+    // Set up response for streaming
+    if (isStreaming) {
+      res.setHeader('Content-Type', 'text/event-stream');
+      res.setHeader('Cache-Control', 'no-cache');
+      res.setHeader('Connection', 'keep-alive');
+      res.setHeader('X-Accel-Buffering', 'no');
+      res.flushHeaders();
+
+      // Send initial chunk with role
+      const initialChunk = createChunk(context, { role: 'assistant' });
+      writeSSE(res, initialChunk);
+    }
+
+    // Create handler config for OpenAI streaming (only used when streaming)
+    const handlerConfig = isStreaming
+      ? {
+          res,
+          context,
+          tracker,
+        }
+      : null;
+
+    // We need custom handlers that stream in OpenAI format
+    const collectedUsage = [];
+    /** @type {Promise<import('librechat-data-provider').TAttachment | null>[]} */
+    const artifactPromises = [];
+
+    // Create tool end callback for processing artifacts (images, file citations, code output)
+    const toolEndCallback = createToolEndCallback({ req, res, artifactPromises, streamId: null });
+
+    // Convert messages to internal format
+    const openaiMessages = convertMessages(request.messages);
+
+    // Format for agent
+    const toolSet = new Set((primaryConfig.tools ?? []).map((tool) => tool && tool.name));
+    const { messages: formattedMessages, indexTokenCountMap } = formatAgentMessages(
+      openaiMessages,
+      {},
+      toolSet,
+    );
+
+    /**
+     * Create a simple handler that processes data
+     */
+    const createHandler = (processor) => ({
+      handle: (_event, data) => {
+        if (processor) {
+          processor(data);
+        }
+      },
+    });
+
+    /**
+     * Stream text content in OpenAI format
+     */
+    const streamText = (text) => {
+      if (!text) {
+        return;
+      }
+      if (isStreaming) {
+        tracker.addText();
+        writeSSE(res, createChunk(context, { content: text }));
+      } else {
+        aggregator.addText(text);
+      }
+    };
+
+    /**
+     * Stream reasoning content in OpenAI format (OpenRouter convention)
+     */
+    const streamReasoning = (text) => {
+      if (!text) {
+        return;
+      }
+      if (isStreaming) {
+        tracker.addReasoning();
+        writeSSE(res, createChunk(context, { reasoning: text }));
+      } else {
+        aggregator.addReasoning(text);
+      }
+    };
+
+    // Built-in handler for processing raw model stream chunks
+    const chatModelStreamHandler = new ChatModelStreamHandler();
+
+    // Event handlers for OpenAI-compatible streaming
+    const handlers = {
+      // Process raw model chunks and dispatch message/reasoning deltas
+      on_chat_model_stream: {
+        handle: async (event, data, metadata, graph) => {
+          await chatModelStreamHandler.handle(event, data, metadata, graph);
+        },
+      },
+
+      // Text content streaming
+      on_message_delta: createHandler((data) => {
+        const content = data?.delta?.content;
+        if (Array.isArray(content)) {
+          for (const part of content) {
+            if (part.type === 'text' && part.text) {
+              streamText(part.text);
+            }
+          }
+        }
+      }),
+
+      // Reasoning/thinking content streaming
+      on_reasoning_delta: createHandler((data) => {
+        const content = data?.delta?.content;
+        if (Array.isArray(content)) {
+          for (const part of content) {
+            const text = part.think || part.text;
+            if (text) {
+              streamReasoning(text);
+            }
+          }
+        }
+      }),
+
+      // Tool call initiation - streams id and name (from on_run_step)
+      on_run_step: createHandler((data) => {
+        const stepDetails = data?.stepDetails;
+        if (stepDetails?.type === 'tool_calls' && stepDetails.tool_calls) {
+          for (const tc of stepDetails.tool_calls) {
+            const toolIndex = data.index ?? 0;
+            const toolId = tc.id ?? '';
+            const toolName = tc.name ?? '';
+            const toolCall = {
+              id: toolId,
+              type: 'function',
+              function: { name: toolName, arguments: '' },
+            };
+
+            // Track tool call in tracker or aggregator
+            if (isStreaming) {
+              if (!tracker.toolCalls.has(toolIndex)) {
+                tracker.toolCalls.set(toolIndex, toolCall);
+              }
+              // Stream initial tool call chunk (like OpenAI does)
+              writeSSE(
+                res,
+                createChunk(context, {
+                  tool_calls: [{ index: toolIndex, ...toolCall }],
+                }),
+              );
+            } else {
+              if (!aggregator.toolCalls.has(toolIndex)) {
+                aggregator.toolCalls.set(toolIndex, toolCall);
+              }
+            }
+          }
+        }
+      }),
+
+      // Tool call argument streaming (from on_run_step_delta)
+      on_run_step_delta: createHandler((data) => {
+        const delta = data?.delta;
+        if (delta?.type === 'tool_calls' && delta.tool_calls) {
+          for (const tc of delta.tool_calls) {
+            const args = tc.args ?? '';
+            if (!args) {
+              continue;
+            }
+
+            const toolIndex = tc.index ?? 0;
+
+            // Update tool call arguments
+            const targetMap = isStreaming ? tracker.toolCalls : aggregator.toolCalls;
+            const tracked = targetMap.get(toolIndex);
+            if (tracked) {
+              tracked.function.arguments += args;
+            }
+
+            // Stream argument delta (only for streaming)
+            if (isStreaming) {
+              writeSSE(
+                res,
+                createChunk(context, {
+                  tool_calls: [
+                    {
+                      index: toolIndex,
+                      function: { arguments: args },
+                    },
+                  ],
+                }),
+              );
+            }
+          }
+        }
+      }),
+
+      // Usage tracking
+      on_chat_model_end: createHandler((data) => {
+        const usage = data?.output?.usage_metadata;
+        if (usage) {
+          collectedUsage.push(usage);
+          const target = isStreaming ? tracker : aggregator;
+          target.usage.promptTokens += usage.input_tokens ?? 0;
+          target.usage.completionTokens += usage.output_tokens ?? 0;
+        }
+      }),
+      on_run_step_completed: createHandler(),
+      // Use proper ToolEndHandler for processing artifacts (images, file citations, code output)
+      on_tool_end: new ToolEndHandler(toolEndCallback, logger),
+      on_chain_stream: createHandler(),
+      on_chain_end: createHandler(),
+      on_agent_update: createHandler(),
+      on_custom_event: createHandler(),
+    };
+
+    // Create and run the agent
+    const userId = req.user?.id ?? 'api-user';
+
+    // Extract userMCPAuthMap from primaryConfig (needed for MCP tool connections)
+    const userMCPAuthMap = primaryConfig.userMCPAuthMap;
+
+    const run = await createRun({
+      agents: [primaryConfig],
+      messages: formattedMessages,
+      indexTokenCountMap,
+      runId: requestId,
+      signal: abortController.signal,
+      customHandlers: handlers,
+      requestBody: {
+        messageId: requestId,
+        conversationId,
+      },
+      user: { id: userId },
+    });
+
+    if (!run) {
+      throw new Error('Failed to create agent run');
+    }
+
+    // Process the stream
+    const config = {
+      runName: 'AgentRun',
+      configurable: {
+        thread_id: conversationId,
+        user_id: userId,
+        user: createSafeUser(req.user),
+        ...(userMCPAuthMap != null && { userMCPAuthMap }),
+      },
+      signal: abortController.signal,
+      streamMode: 'values',
+      version: 'v2',
+    };
+
+    await run.processStream({ messages: formattedMessages }, config, {
+      callbacks: {
+        [Callback.TOOL_ERROR]: (graph, error, toolId) => {
+          logger.error(`[OpenAI API] Tool Error "${toolId}"`, error);
+        },
+      },
+    });
+
+    // Finalize response
+    if (isStreaming) {
+      sendFinalChunk(handlerConfig);
+      res.end();
+
+      // Wait for artifact processing after response ends (non-blocking)
+      if (artifactPromises.length > 0) {
+        Promise.all(artifactPromises).catch((artifactError) => {
+          logger.warn('[OpenAI API] Error processing artifacts:', artifactError);
+        });
+      }
+    } else {
+      // For non-streaming, wait for artifacts before sending response
+      if (artifactPromises.length > 0) {
+        try {
+          await Promise.all(artifactPromises);
+        } catch (artifactError) {
+          logger.warn('[OpenAI API] Error processing artifacts:', artifactError);
+        }
+      }
+
+      // Build usage from aggregated data
+      const usage = {
+        prompt_tokens: aggregator.usage.promptTokens,
+        completion_tokens: aggregator.usage.completionTokens,
+        total_tokens: aggregator.usage.promptTokens + aggregator.usage.completionTokens,
+      };
+
+      if (aggregator.usage.reasoningTokens > 0) {
+        usage.completion_tokens_details = {
+          reasoning_tokens: aggregator.usage.reasoningTokens,
+        };
+      }
+
+      const response = buildNonStreamingResponse(
+        context,
+        aggregator.getText(),
+        aggregator.getReasoning(),
+        aggregator.toolCalls,
+        usage,
+      );
+      res.json(response);
+    }
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'An error occurred';
+    logger.error('[OpenAI API] Error:', error);
+
+    // Check if we already started streaming (headers sent)
+    if (res.headersSent) {
+      // Headers already sent, send error in stream
+      const errorChunk = createChunk(context, { content: `\n\nError: ${errorMessage}` }, 'stop');
+      writeSSE(res, errorChunk);
+      writeSSE(res, '[DONE]');
+      res.end();
+    } else {
+      sendErrorResponse(res, 500, errorMessage, 'server_error');
+    }
+  }
+};
+
+/**
+ * List available agents as models (filtered by remote access permissions)
+ *
+ * GET /v1/models
+ */
+const ListModelsController = async (req, res) => {
+  try {
+    const userId = req.user?.id;
+    const userRole = req.user?.role;
+
+    if (!userId) {
+      return sendErrorResponse(res, 401, 'Authentication required', 'auth_error');
+    }
+
+    // Find agents the user has remote access to (VIEW permission on REMOTE_AGENT)
+    const accessibleAgentIds = await findAccessibleResources({
+      userId,
+      role: userRole,
+      resourceType: ResourceType.REMOTE_AGENT,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+
+    // Get the accessible agents
+    let agents = [];
+    if (accessibleAgentIds.length > 0) {
+      agents = await getAgents({ _id: { $in: accessibleAgentIds } });
+    }
+
+    const models = agents.map((agent) => ({
+      id: agent.id,
+      object: 'model',
+      created: Math.floor(new Date(agent.createdAt || Date.now()).getTime() / 1000),
+      owned_by: 'librechat',
+      permission: [],
+      root: agent.id,
+      parent: null,
+      // LibreChat extensions
+      name: agent.name,
+      description: agent.description,
+      provider: agent.provider,
+    }));
+
+    res.json({
+      object: 'list',
+      data: models,
+    });
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'Failed to list models';
+    logger.error('[OpenAI API] Error listing models:', error);
+    sendErrorResponse(res, 500, errorMessage, 'server_error');
+  }
+};
+
+/**
+ * Get a specific model/agent (with remote access permission check)
+ *
+ * GET /v1/models/:model
+ */
+const GetModelController = async (req, res) => {
+  try {
+    const { model } = req.params;
+    const userId = req.user?.id;
+    const userRole = req.user?.role;
+
+    if (!userId) {
+      return sendErrorResponse(res, 401, 'Authentication required', 'auth_error');
+    }
+
+    const agent = await getAgent({ id: model });
+
+    if (!agent) {
+      return sendErrorResponse(
+        res,
+        404,
+        `Model not found: ${model}`,
+        'invalid_request_error',
+        'model_not_found',
+      );
+    }
+
+    // Check if user has remote access to this agent
+    const accessibleAgentIds = await findAccessibleResources({
+      userId,
+      role: userRole,
+      resourceType: ResourceType.REMOTE_AGENT,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+
+    const hasAccess = accessibleAgentIds.some((id) => id.toString() === agent._id.toString());
+
+    if (!hasAccess) {
+      return sendErrorResponse(
+        res,
+        403,
+        `No remote access to model: ${model}`,
+        'permission_error',
+        'access_denied',
+      );
+    }
+
+    res.json({
+      id: agent.id,
+      object: 'model',
+      created: Math.floor(new Date(agent.createdAt || Date.now()).getTime() / 1000),
+      owned_by: 'librechat',
+      permission: [],
+      root: agent.id,
+      parent: null,
+      // LibreChat extensions
+      name: agent.name,
+      description: agent.description,
+      provider: agent.provider,
+    });
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'Failed to get model';
+    logger.error('[OpenAI API] Error getting model:', error);
+    sendErrorResponse(res, 500, errorMessage, 'server_error');
+  }
+};
+
+module.exports = {
+  OpenAIChatCompletionController,
+  ListModelsController,
+  GetModelController,
+};
diff --git a/api/server/controllers/agents/responses.js b/api/server/controllers/agents/responses.js
new file mode 100644
index 000000000000..bf52edcf7d97
--- /dev/null
+++ b/api/server/controllers/agents/responses.js
@@ -0,0 +1,800 @@
+const { nanoid } = require('nanoid');
+const { v4: uuidv4 } = require('uuid');
+const { logger } = require('@librechat/data-schemas');
+const { EModelEndpoint, ResourceType, PermissionBits } = require('librechat-data-provider');
+const {
+  Callback,
+  ToolEndHandler,
+  formatAgentMessages,
+  ChatModelStreamHandler,
+} = require('@librechat/agents');
+const {
+  createRun,
+  createSafeUser,
+  initializeAgent,
+  // Responses API
+  writeDone,
+  buildResponse,
+  generateResponseId,
+  isValidationFailure,
+  emitResponseCreated,
+  createResponseContext,
+  createResponseTracker,
+  setupStreamingResponse,
+  emitResponseInProgress,
+  convertInputToMessages,
+  validateResponseRequest,
+  buildAggregatedResponse,
+  createResponseAggregator,
+  sendResponsesErrorResponse,
+  createResponsesEventHandlers,
+  createAggregatorEventHandlers,
+} = require('@librechat/api');
+const {
+  createResponsesToolEndCallback,
+  createToolEndCallback,
+} = require('~/server/controllers/agents/callbacks');
+const { findAccessibleResources } = require('~/server/services/PermissionService');
+const { getConvoFiles, saveConvo, getConvo } = require('~/models/Conversation');
+const { loadAgentTools } = require('~/server/services/ToolService');
+const { getAgent, getAgents } = require('~/models/Agent');
+const db = require('~/models');
+
+/** @type {import('@librechat/api').AppConfig | null} */
+let appConfig = null;
+
+/**
+ * Set the app config for the controller
+ * @param {import('@librechat/api').AppConfig} config
+ */
+function setAppConfig(config) {
+  appConfig = config;
+}
+
+/**
+ * Creates a tool loader function for the agent.
+ * @param {AbortSignal} signal - The abort signal
+ */
+function createToolLoader(signal) {
+  return async function loadTools({
+    req,
+    res,
+    tools,
+    model,
+    agentId,
+    provider,
+    tool_options,
+    tool_resources,
+  }) {
+    const agent = { id: agentId, tools, provider, model, tool_options };
+    try {
+      return await loadAgentTools({
+        req,
+        res,
+        agent,
+        signal,
+        tool_resources,
+        streamId: null,
+      });
+    } catch (error) {
+      logger.error('Error loading tools for agent ' + agentId, error);
+    }
+  };
+}
+
+/**
+ * Convert Open Responses input items to internal messages
+ * @param {import('@librechat/api').InputItem[]} input
+ * @returns {Array} Internal messages
+ */
+function convertToInternalMessages(input) {
+  return convertInputToMessages(input);
+}
+
+/**
+ * Load messages from a previous response/conversation
+ * @param {string} conversationId - The conversation/response ID
+ * @param {string} userId - The user ID
+ * @returns {Promise<Array>} Messages from the conversation
+ */
+async function loadPreviousMessages(conversationId, userId) {
+  try {
+    const messages = await db.getMessages({ conversationId, user: userId });
+    if (!messages || messages.length === 0) {
+      return [];
+    }
+
+    // Convert stored messages to internal format
+    return messages.map((msg) => {
+      const internalMsg = {
+        role: msg.isCreatedByUser ? 'user' : 'assistant',
+        content: '',
+        messageId: msg.messageId,
+      };
+
+      // Handle content - could be string or array
+      if (typeof msg.text === 'string') {
+        internalMsg.content = msg.text;
+      } else if (Array.isArray(msg.content)) {
+        // Handle content parts
+        internalMsg.content = msg.content;
+      } else if (msg.text) {
+        internalMsg.content = String(msg.text);
+      }
+
+      return internalMsg;
+    });
+  } catch (error) {
+    logger.error('[Responses API] Error loading previous messages:', error);
+    return [];
+  }
+}
+
+/**
+ * Save input messages to database
+ * @param {import('express').Request} req
+ * @param {string} conversationId
+ * @param {Array} inputMessages - Internal format messages
+ * @param {string} agentId
+ * @returns {Promise<void>}
+ */
+async function saveInputMessages(req, conversationId, inputMessages, agentId) {
+  for (const msg of inputMessages) {
+    if (msg.role === 'user') {
+      await db.saveMessage(
+        req,
+        {
+          messageId: msg.messageId || nanoid(),
+          conversationId,
+          parentMessageId: null,
+          isCreatedByUser: true,
+          text: typeof msg.content === 'string' ? msg.content : JSON.stringify(msg.content),
+          sender: 'User',
+          endpoint: EModelEndpoint.agents,
+          model: agentId,
+        },
+        { context: 'Responses API - save user input' },
+      );
+    }
+  }
+}
+
+/**
+ * Save response output to database
+ * @param {import('express').Request} req
+ * @param {string} conversationId
+ * @param {string} responseId
+ * @param {import('@librechat/api').Response} response
+ * @param {string} agentId
+ * @returns {Promise<void>}
+ */
+async function saveResponseOutput(req, conversationId, responseId, response, agentId) {
+  // Extract text content from output items
+  let responseText = '';
+  for (const item of response.output) {
+    if (item.type === 'message' && item.content) {
+      for (const part of item.content) {
+        if (part.type === 'output_text' && part.text) {
+          responseText += part.text;
+        }
+      }
+    }
+  }
+
+  // Save the assistant message
+  await db.saveMessage(
+    req,
+    {
+      messageId: responseId,
+      conversationId,
+      parentMessageId: null,
+      isCreatedByUser: false,
+      text: responseText,
+      sender: 'Agent',
+      endpoint: EModelEndpoint.agents,
+      model: agentId,
+      finish_reason: response.status === 'completed' ? 'stop' : response.status,
+      tokenCount: response.usage?.output_tokens,
+    },
+    { context: 'Responses API - save assistant response' },
+  );
+}
+
+/**
+ * Save or update conversation
+ * @param {import('express').Request} req
+ * @param {string} conversationId
+ * @param {string} agentId
+ * @param {object} agent
+ * @returns {Promise<void>}
+ */
+async function saveConversation(req, conversationId, agentId, agent) {
+  await saveConvo(
+    req,
+    {
+      conversationId,
+      endpoint: EModelEndpoint.agents,
+      agentId,
+      title: agent?.name || 'Open Responses Conversation',
+      model: agent?.model,
+    },
+    { context: 'Responses API - save conversation' },
+  );
+}
+
+/**
+ * Convert stored messages to Open Responses output format
+ * @param {Array} messages - Stored messages
+ * @returns {Array} Output items
+ */
+function convertMessagesToOutputItems(messages) {
+  const output = [];
+
+  for (const msg of messages) {
+    if (!msg.isCreatedByUser) {
+      output.push({
+        type: 'message',
+        id: msg.messageId,
+        role: 'assistant',
+        status: 'completed',
+        content: [
+          {
+            type: 'output_text',
+            text: msg.text || '',
+            annotations: [],
+          },
+        ],
+      });
+    }
+  }
+
+  return output;
+}
+
+/**
+ * Create Response - POST /v1/responses
+ *
+ * Creates a model response following the Open Responses API specification.
+ * Supports both streaming and non-streaming responses.
+ *
+ * @param {import('express').Request} req
+ * @param {import('express').Response} res
+ */
+const createResponse = async (req, res) => {
+  // Validate request
+  const validation = validateResponseRequest(req.body);
+  if (isValidationFailure(validation)) {
+    return sendResponsesErrorResponse(res, 400, validation.error);
+  }
+
+  const request = validation.request;
+  const agentId = request.model;
+  const isStreaming = request.stream === true;
+
+  // Look up the agent
+  const agent = await getAgent({ id: agentId });
+  if (!agent) {
+    return sendResponsesErrorResponse(
+      res,
+      404,
+      `Agent not found: ${agentId}`,
+      'not_found',
+      'model_not_found',
+    );
+  }
+
+  // Generate IDs
+  const responseId = generateResponseId();
+  const conversationId = request.previous_response_id ?? uuidv4();
+  const parentMessageId = null;
+
+  // Create response context
+  const context = createResponseContext(request, responseId);
+
+  // Set up abort controller
+  const abortController = new AbortController();
+
+  // Handle client disconnect
+  req.on('close', () => {
+    if (!abortController.signal.aborted) {
+      abortController.abort();
+      logger.debug('[Responses API] Client disconnected, aborting');
+    }
+  });
+
+  try {
+    // Build allowed providers set
+    const allowedProviders = new Set(
+      appConfig?.endpoints?.[EModelEndpoint.agents]?.allowedProviders,
+    );
+
+    // Create tool loader
+    const loadTools = createToolLoader(abortController.signal);
+
+    // Initialize the agent first to check for disableStreaming
+    const endpointOption = {
+      endpoint: agent.provider,
+      model_parameters: agent.model_parameters ?? {},
+    };
+
+    const primaryConfig = await initializeAgent(
+      {
+        req,
+        res,
+        loadTools,
+        requestFiles: [],
+        conversationId,
+        parentMessageId,
+        agent,
+        endpointOption,
+        allowedProviders,
+        isInitialAgent: true,
+      },
+      {
+        getConvoFiles,
+        getFiles: db.getFiles,
+        getUserKey: db.getUserKey,
+        getMessages: db.getMessages,
+        updateFilesUsage: db.updateFilesUsage,
+        getUserKeyValues: db.getUserKeyValues,
+        getUserCodeFiles: db.getUserCodeFiles,
+        getToolFilesByIds: db.getToolFilesByIds,
+        getCodeGeneratedFiles: db.getCodeGeneratedFiles,
+      },
+    );
+
+    // Determine if streaming is enabled (check both request and agent config)
+    const streamingDisabled = !!primaryConfig.model_parameters?.disableStreaming;
+    const actuallyStreaming = isStreaming && !streamingDisabled;
+
+    // Load previous messages if previous_response_id is provided
+    let previousMessages = [];
+    if (request.previous_response_id) {
+      const userId = req.user?.id ?? 'api-user';
+      previousMessages = await loadPreviousMessages(request.previous_response_id, userId);
+    }
+
+    // Convert input to internal messages
+    const inputMessages = convertToInternalMessages(
+      typeof request.input === 'string' ? request.input : request.input,
+    );
+
+    // Merge previous messages with new input
+    const allMessages = [...previousMessages, ...inputMessages];
+
+    // Format for agent
+    const toolSet = new Set((primaryConfig.tools ?? []).map((tool) => tool && tool.name));
+    const { messages: formattedMessages, indexTokenCountMap } = formatAgentMessages(
+      allMessages,
+      {},
+      toolSet,
+    );
+
+    // Create tracker for streaming or aggregator for non-streaming
+    const tracker = actuallyStreaming ? createResponseTracker() : null;
+    const aggregator = actuallyStreaming ? null : createResponseAggregator();
+
+    // Set up response for streaming
+    if (actuallyStreaming) {
+      setupStreamingResponse(res);
+
+      // Create handler config
+      const handlerConfig = {
+        res,
+        context,
+        tracker,
+      };
+
+      // Emit response.created then response.in_progress per Open Responses spec
+      emitResponseCreated(handlerConfig);
+      emitResponseInProgress(handlerConfig);
+
+      // Create event handlers
+      const { handlers: responsesHandlers, finalizeStream } =
+        createResponsesEventHandlers(handlerConfig);
+
+      // Built-in handler for processing raw model stream chunks
+      const chatModelStreamHandler = new ChatModelStreamHandler();
+
+      // Artifact promises for processing tool outputs
+      /** @type {Promise<import('librechat-data-provider').TAttachment | null>[]} */
+      const artifactPromises = [];
+      // Use Responses API-specific callback that emits librechat:attachment events
+      const toolEndCallback = createResponsesToolEndCallback({
+        req,
+        res,
+        tracker,
+        artifactPromises,
+      });
+
+      // Combine handlers
+      const handlers = {
+        on_chat_model_stream: {
+          handle: async (event, data, metadata, graph) => {
+            await chatModelStreamHandler.handle(event, data, metadata, graph);
+          },
+        },
+        on_message_delta: responsesHandlers.on_message_delta,
+        on_reasoning_delta: responsesHandlers.on_reasoning_delta,
+        on_run_step: responsesHandlers.on_run_step,
+        on_run_step_delta: responsesHandlers.on_run_step_delta,
+        on_chat_model_end: responsesHandlers.on_chat_model_end,
+        on_tool_end: new ToolEndHandler(toolEndCallback, logger),
+        on_run_step_completed: { handle: () => {} },
+        on_chain_stream: { handle: () => {} },
+        on_chain_end: { handle: () => {} },
+        on_agent_update: { handle: () => {} },
+        on_custom_event: { handle: () => {} },
+      };
+
+      // Create and run the agent
+      const userId = req.user?.id ?? 'api-user';
+      const userMCPAuthMap = primaryConfig.userMCPAuthMap;
+
+      const run = await createRun({
+        agents: [primaryConfig],
+        messages: formattedMessages,
+        indexTokenCountMap,
+        runId: responseId,
+        signal: abortController.signal,
+        customHandlers: handlers,
+        requestBody: {
+          messageId: responseId,
+          conversationId,
+        },
+        user: { id: userId },
+      });
+
+      if (!run) {
+        throw new Error('Failed to create agent run');
+      }
+
+      // Process the stream
+      const config = {
+        runName: 'AgentRun',
+        configurable: {
+          thread_id: conversationId,
+          user_id: userId,
+          user: createSafeUser(req.user),
+          ...(userMCPAuthMap != null && { userMCPAuthMap }),
+        },
+        signal: abortController.signal,
+        streamMode: 'values',
+        version: 'v2',
+      };
+
+      await run.processStream({ messages: formattedMessages }, config, {
+        callbacks: {
+          [Callback.TOOL_ERROR]: (graph, error, toolId) => {
+            logger.error(`[Responses API] Tool Error "${toolId}"`, error);
+          },
+        },
+      });
+
+      // Finalize the stream
+      finalizeStream();
+      res.end();
+
+      // Save to database if store: true
+      if (request.store === true) {
+        try {
+          // Save conversation
+          await saveConversation(req, conversationId, agentId, agent);
+
+          // Save input messages
+          await saveInputMessages(req, conversationId, inputMessages, agentId);
+
+          // Build response for saving (use tracker with buildResponse for streaming)
+          const finalResponse = buildResponse(context, tracker, 'completed');
+          await saveResponseOutput(req, conversationId, responseId, finalResponse, agentId);
+
+          logger.debug(
+            `[Responses API] Stored response ${responseId} in conversation ${conversationId}`,
+          );
+        } catch (saveError) {
+          logger.error('[Responses API] Error saving response:', saveError);
+          // Don't fail the request if saving fails
+        }
+      }
+
+      // Wait for artifact processing after response ends (non-blocking)
+      if (artifactPromises.length > 0) {
+        Promise.all(artifactPromises).catch((artifactError) => {
+          logger.warn('[Responses API] Error processing artifacts:', artifactError);
+        });
+      }
+    } else {
+      // Non-streaming response
+      const aggregatorHandlers = createAggregatorEventHandlers(aggregator);
+
+      // Built-in handler for processing raw model stream chunks
+      const chatModelStreamHandler = new ChatModelStreamHandler();
+
+      // Artifact promises for processing tool outputs
+      /** @type {Promise<import('librechat-data-provider').TAttachment | null>[]} */
+      const artifactPromises = [];
+      const toolEndCallback = createToolEndCallback({ req, res, artifactPromises, streamId: null });
+
+      // Combine handlers
+      const handlers = {
+        on_chat_model_stream: {
+          handle: async (event, data, metadata, graph) => {
+            await chatModelStreamHandler.handle(event, data, metadata, graph);
+          },
+        },
+        on_message_delta: aggregatorHandlers.on_message_delta,
+        on_reasoning_delta: aggregatorHandlers.on_reasoning_delta,
+        on_run_step: aggregatorHandlers.on_run_step,
+        on_run_step_delta: aggregatorHandlers.on_run_step_delta,
+        on_chat_model_end: aggregatorHandlers.on_chat_model_end,
+        on_tool_end: new ToolEndHandler(toolEndCallback, logger),
+        on_run_step_completed: { handle: () => {} },
+        on_chain_stream: { handle: () => {} },
+        on_chain_end: { handle: () => {} },
+        on_agent_update: { handle: () => {} },
+        on_custom_event: { handle: () => {} },
+      };
+
+      // Create and run the agent
+      const userId = req.user?.id ?? 'api-user';
+      const userMCPAuthMap = primaryConfig.userMCPAuthMap;
+
+      const run = await createRun({
+        agents: [primaryConfig],
+        messages: formattedMessages,
+        indexTokenCountMap,
+        runId: responseId,
+        signal: abortController.signal,
+        customHandlers: handlers,
+        requestBody: {
+          messageId: responseId,
+          conversationId,
+        },
+        user: { id: userId },
+      });
+
+      if (!run) {
+        throw new Error('Failed to create agent run');
+      }
+
+      // Process the stream
+      const config = {
+        runName: 'AgentRun',
+        configurable: {
+          thread_id: conversationId,
+          user_id: userId,
+          user: createSafeUser(req.user),
+          ...(userMCPAuthMap != null && { userMCPAuthMap }),
+        },
+        signal: abortController.signal,
+        streamMode: 'values',
+        version: 'v2',
+      };
+
+      await run.processStream({ messages: formattedMessages }, config, {
+        callbacks: {
+          [Callback.TOOL_ERROR]: (graph, error, toolId) => {
+            logger.error(`[Responses API] Tool Error "${toolId}"`, error);
+          },
+        },
+      });
+
+      // Wait for artifacts before sending response
+      if (artifactPromises.length > 0) {
+        try {
+          await Promise.all(artifactPromises);
+        } catch (artifactError) {
+          logger.warn('[Responses API] Error processing artifacts:', artifactError);
+        }
+      }
+
+      // Build and send the response
+      const response = buildAggregatedResponse(context, aggregator);
+
+      // Save to database if store: true
+      if (request.store === true) {
+        try {
+          // Save conversation
+          await saveConversation(req, conversationId, agentId, agent);
+
+          // Save input messages
+          await saveInputMessages(req, conversationId, inputMessages, agentId);
+
+          // Save response output
+          await saveResponseOutput(req, conversationId, responseId, response, agentId);
+
+          logger.debug(
+            `[Responses API] Stored response ${responseId} in conversation ${conversationId}`,
+          );
+        } catch (saveError) {
+          logger.error('[Responses API] Error saving response:', saveError);
+          // Don't fail the request if saving fails
+        }
+      }
+
+      res.json(response);
+    }
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'An error occurred';
+    logger.error('[Responses API] Error:', error);
+
+    // Check if we already started streaming (headers sent)
+    if (res.headersSent) {
+      // Headers already sent, write error event and close
+      writeDone(res);
+      res.end();
+    } else {
+      sendResponsesErrorResponse(res, 500, errorMessage, 'server_error');
+    }
+  }
+};
+
+/**
+ * List available agents as models - GET /v1/models (also works with /v1/responses/models)
+ *
+ * Returns a list of available agents the user has remote access to.
+ *
+ * @param {import('express').Request} req
+ * @param {import('express').Response} res
+ */
+const listModels = async (req, res) => {
+  try {
+    const userId = req.user?.id;
+    const userRole = req.user?.role;
+
+    if (!userId) {
+      return sendResponsesErrorResponse(res, 401, 'Authentication required', 'auth_error');
+    }
+
+    // Find agents the user has remote access to (VIEW permission on REMOTE_AGENT)
+    const accessibleAgentIds = await findAccessibleResources({
+      userId,
+      role: userRole,
+      resourceType: ResourceType.REMOTE_AGENT,
+      requiredPermissions: PermissionBits.VIEW,
+    });
+
+    // Get the accessible agents
+    let agents = [];
+    if (accessibleAgentIds.length > 0) {
+      agents = await getAgents({ _id: { $in: accessibleAgentIds } });
+    }
+
+    // Convert to models format
+    const models = agents.map((agent) => ({
+      id: agent.id,
+      object: 'model',
+      created: Math.floor(new Date(agent.createdAt).getTime() / 1000),
+      owned_by: agent.author ?? 'librechat',
+      // Additional metadata
+      name: agent.name,
+      description: agent.description,
+      provider: agent.provider,
+    }));
+
+    res.json({
+      object: 'list',
+      data: models,
+    });
+  } catch (error) {
+    logger.error('[Responses API] Error listing models:', error);
+    sendResponsesErrorResponse(
+      res,
+      500,
+      error instanceof Error ? error.message : 'Failed to list models',
+      'server_error',
+    );
+  }
+};
+
+/**
+ * Get Response - GET /v1/responses/:id
+ *
+ * Retrieves a stored response by its ID.
+ * The response ID maps to a conversationId in LibreChat's storage.
+ *
+ * @param {import('express').Request} req
+ * @param {import('express').Response} res
+ */
+const getResponse = async (req, res) => {
+  try {
+    const responseId = req.params.id;
+    const userId = req.user?.id;
+
+    if (!responseId) {
+      return sendResponsesErrorResponse(res, 400, 'Response ID is required');
+    }
+
+    // The responseId could be either the response ID or the conversation ID
+    // Try to find a conversation with this ID
+    const conversation = await getConvo(userId, responseId);
+
+    if (!conversation) {
+      return sendResponsesErrorResponse(
+        res,
+        404,
+        `Response not found: ${responseId}`,
+        'not_found',
+        'response_not_found',
+      );
+    }
+
+    // Load messages for this conversation
+    const messages = await db.getMessages({ conversationId: responseId, user: userId });
+
+    if (!messages || messages.length === 0) {
+      return sendResponsesErrorResponse(
+        res,
+        404,
+        `No messages found for response: ${responseId}`,
+        'not_found',
+        'response_not_found',
+      );
+    }
+
+    // Convert messages to Open Responses output format
+    const output = convertMessagesToOutputItems(messages);
+
+    // Find the last assistant message for usage info
+    const lastAssistantMessage = messages.filter((m) => !m.isCreatedByUser).pop();
+
+    // Build the response object
+    const response = {
+      id: responseId,
+      object: 'response',
+      created_at: Math.floor(new Date(conversation.createdAt || Date.now()).getTime() / 1000),
+      completed_at: Math.floor(new Date(conversation.updatedAt || Date.now()).getTime() / 1000),
+      status: 'completed',
+      incomplete_details: null,
+      model: conversation.agentId || conversation.model || 'unknown',
+      previous_response_id: null,
+      instructions: null,
+      output,
+      error: null,
+      tools: [],
+      tool_choice: 'auto',
+      truncation: 'disabled',
+      parallel_tool_calls: true,
+      text: { format: { type: 'text' } },
+      temperature: 1,
+      top_p: 1,
+      presence_penalty: 0,
+      frequency_penalty: 0,
+      top_logprobs: null,
+      reasoning: null,
+      user: userId,
+      usage: lastAssistantMessage?.tokenCount
+        ? {
+            input_tokens: 0,
+            output_tokens: lastAssistantMessage.tokenCount,
+            total_tokens: lastAssistantMessage.tokenCount,
+          }
+        : null,
+      max_output_tokens: null,
+      max_tool_calls: null,
+      store: true,
+      background: false,
+      service_tier: 'default',
+      metadata: {},
+      safety_identifier: null,
+      prompt_cache_key: null,
+    };
+
+    res.json(response);
+  } catch (error) {
+    logger.error('[Responses API] Error getting response:', error);
+    sendResponsesErrorResponse(
+      res,
+      500,
+      error instanceof Error ? error.message : 'Failed to get response',
+      'server_error',
+    );
+  }
+};
+
+module.exports = {
+  createResponse,
+  getResponse,
+  listModels,
+  setAppConfig,
+};
diff --git a/api/server/controllers/agents/v1.js b/api/server/controllers/agents/v1.js
index 9f0a4a227974..34078b225000 100644
--- a/api/server/controllers/agents/v1.js
+++ b/api/server/controllers/agents/v1.js
@@ -11,7 +11,9 @@ const {
   convertOcrToContextInPlace,
 } = require('@librechat/api');
 const {
+  Time,
   Tools,
+  CacheKeys,
   Constants,
   FileSources,
   ResourceType,
@@ -21,8 +23,6 @@ const {
   PermissionBits,
   actionDelimiter,
   removeNullishValues,
-  CacheKeys,
-  Time,
 } = require('librechat-data-provider');
 const {
   getListAgentsByAccess,
@@ -94,16 +94,25 @@ const createAgentHandler = async (req, res) => {
 
     const agent = await createAgent(agentData);
 
-    // Automatically grant owner permissions to the creator
     try {
-      await grantPermission({
-        principalType: PrincipalType.USER,
-        principalId: userId,
-        resourceType: ResourceType.AGENT,
-        resourceId: agent._id,
-        accessRoleId: AccessRoleIds.AGENT_OWNER,
-        grantedBy: userId,
-      });
+      await Promise.all([
+        grantPermission({
+          principalType: PrincipalType.USER,
+          principalId: userId,
+          resourceType: ResourceType.AGENT,
+          resourceId: agent._id,
+          accessRoleId: AccessRoleIds.AGENT_OWNER,
+          grantedBy: userId,
+        }),
+        grantPermission({
+          principalType: PrincipalType.USER,
+          principalId: userId,
+          resourceType: ResourceType.REMOTE_AGENT,
+          resourceId: agent._id,
+          accessRoleId: AccessRoleIds.REMOTE_AGENT_OWNER,
+          grantedBy: userId,
+        }),
+      ]);
       logger.debug(
         `[createAgent] Granted owner permissions to user ${userId} for agent ${agent.id}`,
       );
@@ -396,16 +405,25 @@ const duplicateAgentHandler = async (req, res) => {
     newAgentData.actions = agentActions;
     const newAgent = await createAgent(newAgentData);
 
-    // Automatically grant owner permissions to the duplicator
     try {
-      await grantPermission({
-        principalType: PrincipalType.USER,
-        principalId: userId,
-        resourceType: ResourceType.AGENT,
-        resourceId: newAgent._id,
-        accessRoleId: AccessRoleIds.AGENT_OWNER,
-        grantedBy: userId,
-      });
+      await Promise.all([
+        grantPermission({
+          principalType: PrincipalType.USER,
+          principalId: userId,
+          resourceType: ResourceType.AGENT,
+          resourceId: newAgent._id,
+          accessRoleId: AccessRoleIds.AGENT_OWNER,
+          grantedBy: userId,
+        }),
+        grantPermission({
+          principalType: PrincipalType.USER,
+          principalId: userId,
+          resourceType: ResourceType.REMOTE_AGENT,
+          resourceId: newAgent._id,
+          accessRoleId: AccessRoleIds.REMOTE_AGENT_OWNER,
+          grantedBy: userId,
+        }),
+      ]);
       logger.debug(
         `[duplicateAgent] Granted owner permissions to user ${userId} for duplicated agent ${newAgent.id}`,
       );
diff --git a/api/server/controllers/auth/LogoutController.js b/api/server/controllers/auth/LogoutController.js
index ec6631628535..16da12aadde3 100644
--- a/api/server/controllers/auth/LogoutController.js
+++ b/api/server/controllers/auth/LogoutController.js
@@ -24,6 +24,9 @@ const logoutController = async (req, res) => {
     res.clearCookie('openid_access_token');
     res.clearCookie('openid_user_id');
     res.clearCookie('token_provider');
+    if (isEnabled(process.env.OPENID_EXPOSE_SUB_COOKIE)) {
+      res.clearCookie('openid_sub');
+    }
     const response = { message };
     if (
       isOpenIdUser &&
diff --git a/api/server/controllers/auth/oauth.js b/api/server/controllers/auth/oauth.js
new file mode 100644
index 000000000000..80c2ced0026a
--- /dev/null
+++ b/api/server/controllers/auth/oauth.js
@@ -0,0 +1,79 @@
+const { CacheKeys } = require('librechat-data-provider');
+const { logger, DEFAULT_SESSION_EXPIRY } = require('@librechat/data-schemas');
+const {
+  isEnabled,
+  getAdminPanelUrl,
+  isAdminPanelRedirect,
+  generateAdminExchangeCode,
+} = require('@librechat/api');
+const { syncUserEntraGroupMemberships } = require('~/server/services/PermissionService');
+const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
+const getLogStores = require('~/cache/getLogStores');
+const { checkBan } = require('~/server/middleware');
+const { generateToken } = require('~/models');
+
+const domains = {
+  client: process.env.DOMAIN_CLIENT,
+  server: process.env.DOMAIN_SERVER,
+};
+
+function createOAuthHandler(redirectUri = domains.client) {
+  /**
+   * A handler to process OAuth authentication results.
+   * @type {Function}
+   * @param {ServerRequest} req - Express request object.
+   * @param {ServerResponse} res - Express response object.
+   * @param {NextFunction} next - Express next middleware function.
+   */
+  return async (req, res, next) => {
+    try {
+      if (res.headersSent) {
+        return;
+      }
+
+      await checkBan(req, res);
+      if (req.banned) {
+        return;
+      }
+
+      /** Check if this is an admin panel redirect (cross-origin) */
+      if (isAdminPanelRedirect(redirectUri, getAdminPanelUrl(), domains.client)) {
+        /** For admin panel, generate exchange code instead of setting cookies */
+        const cache = getLogStores(CacheKeys.ADMIN_OAUTH_EXCHANGE);
+        const sessionExpiry = Number(process.env.SESSION_EXPIRY) || DEFAULT_SESSION_EXPIRY;
+        const token = await generateToken(req.user, sessionExpiry);
+
+        /** Get refresh token from tokenset for OpenID users */
+        const refreshToken =
+          req.user.tokenset?.refresh_token || req.user.federatedTokens?.refresh_token;
+
+        const exchangeCode = await generateAdminExchangeCode(cache, req.user, token, refreshToken);
+
+        const callbackUrl = new URL(redirectUri);
+        callbackUrl.searchParams.set('code', exchangeCode);
+        logger.info(`[OAuth] Admin panel redirect with exchange code for user: ${req.user.email}`);
+        return res.redirect(callbackUrl.toString());
+      }
+
+      /** Standard OAuth flow - set cookies and redirect */
+      if (
+        req.user &&
+        req.user.provider == 'openid' &&
+        isEnabled(process.env.OPENID_REUSE_TOKENS) === true
+      ) {
+        await syncUserEntraGroupMemberships(req.user, req.user.tokenset.access_token);
+        setOpenIDAuthTokens(req.user.tokenset, req, res, req.user._id.toString());
+      } else {
+        await setAuthTokens(req.user._id, res);
+      }
+      res.redirect(redirectUri);
+    } catch (err) {
+      logger.error('Error in setting authentication tokens:', err);
+      next(err);
+    }
+  };
+}
+
+module.exports = {
+  createOAuthHandler,
+};
diff --git a/api/server/experimental.js b/api/server/experimental.js
index 91ef9ef28671..4a457abf6107 100644
--- a/api/server/experimental.js
+++ b/api/server/experimental.js
@@ -299,6 +299,7 @@ if (cluster.isMaster) {
     app.use('/api/auth', routes.auth);
     app.use('/api/actions', routes.actions);
     app.use('/api/keys', routes.keys);
+    app.use('/api/api-keys', routes.apiKeys);
     app.use('/api/user', routes.user);
     app.use('/api/search', routes.search);
     app.use('/api/messages', routes.messages);
diff --git a/api/server/index.js b/api/server/index.js
index a7ddd47f375d..fcd0229c9f3d 100644
--- a/api/server/index.js
+++ b/api/server/index.js
@@ -134,8 +134,10 @@ const startServer = async () => {
   app.use('/oauth', routes.oauth);
   /* API Endpoints */
   app.use('/api/auth', routes.auth);
+  app.use('/api/admin', routes.adminAuth);
   app.use('/api/actions', routes.actions);
   app.use('/api/keys', routes.keys);
+  app.use('/api/api-keys', routes.apiKeys);
   app.use('/api/user', routes.user);
   app.use('/api/search', routes.search);
   app.use('/api/messages', routes.messages);
diff --git a/api/server/middleware/checkSharePublicAccess.js b/api/server/middleware/checkSharePublicAccess.js
index c094d54acb3a..0e95b9f6f859 100644
--- a/api/server/middleware/checkSharePublicAccess.js
+++ b/api/server/middleware/checkSharePublicAccess.js
@@ -9,6 +9,7 @@ const resourceToPermissionType = {
   [ResourceType.AGENT]: PermissionTypes.AGENTS,
   [ResourceType.PROMPTGROUP]: PermissionTypes.PROMPTS,
   [ResourceType.MCPSERVER]: PermissionTypes.MCP_SERVERS,
+  [ResourceType.REMOTE_AGENT]: PermissionTypes.REMOTE_AGENTS,
 };
 
 /**
diff --git a/api/server/routes/accessPermissions.js b/api/server/routes/accessPermissions.js
index 79e7f3ddcaca..45afec133b77 100644
--- a/api/server/routes/accessPermissions.js
+++ b/api/server/routes/accessPermissions.js
@@ -53,6 +53,12 @@ const checkResourcePermissionAccess = (requiredPermission) => (req, res, next) =
       requiredPermission,
       resourceIdParam: 'resourceId',
     });
+  } else if (resourceType === ResourceType.REMOTE_AGENT) {
+    middleware = canAccessResource({
+      resourceType: ResourceType.REMOTE_AGENT,
+      requiredPermission,
+      resourceIdParam: 'resourceId',
+    });
   } else if (resourceType === ResourceType.PROMPTGROUP) {
     middleware = canAccessResource({
       resourceType: ResourceType.PROMPTGROUP,
diff --git a/api/server/routes/admin/auth.js b/api/server/routes/admin/auth.js
new file mode 100644
index 000000000000..291b5eaaf85f
--- /dev/null
+++ b/api/server/routes/admin/auth.js
@@ -0,0 +1,127 @@
+const express = require('express');
+const passport = require('passport');
+const { randomState } = require('openid-client');
+const { logger } = require('@librechat/data-schemas');
+const { CacheKeys } = require('librechat-data-provider');
+const {
+  requireAdmin,
+  getAdminPanelUrl,
+  exchangeAdminCode,
+  createSetBalanceConfig,
+} = require('@librechat/api');
+const { loginController } = require('~/server/controllers/auth/LoginController');
+const { createOAuthHandler } = require('~/server/controllers/auth/oauth');
+const { getAppConfig } = require('~/server/services/Config');
+const getLogStores = require('~/cache/getLogStores');
+const { getOpenIdConfig } = require('~/strategies');
+const middleware = require('~/server/middleware');
+const { Balance } = require('~/db/models');
+
+const setBalanceConfig = createSetBalanceConfig({
+  getAppConfig,
+  Balance,
+});
+
+const router = express.Router();
+
+router.post(
+  '/login/local',
+  middleware.logHeaders,
+  middleware.loginLimiter,
+  middleware.checkBan,
+  middleware.requireLocalAuth,
+  requireAdmin,
+  setBalanceConfig,
+  loginController,
+);
+
+router.get('/verify', middleware.requireJwtAuth, requireAdmin, (req, res) => {
+  const { password: _p, totpSecret: _t, __v, ...user } = req.user;
+  user.id = user._id.toString();
+  res.status(200).json({ user });
+});
+
+router.get('/oauth/openid/check', (req, res) => {
+  const openidConfig = getOpenIdConfig();
+  if (!openidConfig) {
+    return res.status(404).json({
+      error: 'OpenID configuration not found',
+      error_code: 'OPENID_NOT_CONFIGURED',
+    });
+  }
+  res.status(200).json({ message: 'OpenID check successful' });
+});
+
+router.get('/oauth/openid', (req, res, next) => {
+  return passport.authenticate('openidAdmin', {
+    session: false,
+    state: randomState(),
+  })(req, res, next);
+});
+
+router.get(
+  '/oauth/openid/callback',
+  passport.authenticate('openidAdmin', {
+    failureRedirect: `${getAdminPanelUrl()}/auth/openid/callback?error=auth_failed&error_description=Authentication+failed`,
+    failureMessage: true,
+    session: false,
+  }),
+  requireAdmin,
+  setBalanceConfig,
+  middleware.checkDomainAllowed,
+  createOAuthHandler(`${getAdminPanelUrl()}/auth/openid/callback`),
+);
+
+/** Regex pattern for valid exchange codes: 64 hex characters */
+const EXCHANGE_CODE_PATTERN = /^[a-f0-9]{64}$/i;
+
+/**
+ * Exchange OAuth authorization code for tokens.
+ * This endpoint is called server-to-server by the admin panel.
+ * The code is one-time-use and expires in 30 seconds.
+ *
+ * POST /api/admin/oauth/exchange
+ * Body: { code: string }
+ * Response: { token: string, refreshToken: string, user: object }
+ */
+router.post('/oauth/exchange', middleware.loginLimiter, async (req, res) => {
+  try {
+    const { code } = req.body;
+
+    if (!code) {
+      logger.warn('[admin/oauth/exchange] Missing authorization code');
+      return res.status(400).json({
+        error: 'Missing authorization code',
+        error_code: 'MISSING_CODE',
+      });
+    }
+
+    if (typeof code !== 'string' || !EXCHANGE_CODE_PATTERN.test(code)) {
+      logger.warn('[admin/oauth/exchange] Invalid authorization code format');
+      return res.status(400).json({
+        error: 'Invalid authorization code format',
+        error_code: 'INVALID_CODE_FORMAT',
+      });
+    }
+
+    const cache = getLogStores(CacheKeys.ADMIN_OAUTH_EXCHANGE);
+    const result = await exchangeAdminCode(cache, code);
+
+    if (!result) {
+      return res.status(401).json({
+        error: 'Invalid or expired authorization code',
+        error_code: 'INVALID_OR_EXPIRED_CODE',
+      });
+    }
+
+    res.json(result);
+  } catch (error) {
+    logger.error('[admin/oauth/exchange] Error:', error);
+    res.status(500).json({
+      error: 'Internal server error',
+      error_code: 'INTERNAL_ERROR',
+    });
+  }
+});
+
+module.exports = router;
diff --git a/api/server/routes/agents/__tests__/abort.spec.js b/api/server/routes/agents/__tests__/abort.spec.js
index e879d51452b5..442665d97376 100644
--- a/api/server/routes/agents/__tests__/abort.spec.js
+++ b/api/server/routes/agents/__tests__/abort.spec.js
@@ -26,10 +26,12 @@ const mockGenerationJobManager = {
 const mockSaveMessage = jest.fn();
 
 jest.mock('@librechat/data-schemas', () => ({
+  ...jest.requireActual('@librechat/data-schemas'),
   logger: mockLogger,
 }));
 
 jest.mock('@librechat/api', () => ({
+  ...jest.requireActual('@librechat/api'),
   isEnabled: jest.fn().mockReturnValue(false),
   GenerationJobManager: mockGenerationJobManager,
 }));
diff --git a/api/server/routes/agents/__tests__/responses.spec.js b/api/server/routes/agents/__tests__/responses.spec.js
new file mode 100644
index 000000000000..4d83219b84b3
--- /dev/null
+++ b/api/server/routes/agents/__tests__/responses.spec.js
@@ -0,0 +1,1125 @@
+/**
+ * Open Responses API Integration Tests
+ *
+ * Tests the /v1/responses endpoint against the Open Responses specification
+ * compliance tests. Uses real Anthropic API for LLM calls.
+ *
+ * @see https://openresponses.org/specification
+ * @see https://github.com/openresponses/openresponses/blob/main/src/lib/compliance-tests.ts
+ */
+
+// Load environment variables from root .env file for API keys
+require('dotenv').config({ path: require('path').resolve(__dirname, '../../../../../.env') });
+
+const originalEnv = {
+  CREDS_KEY: process.env.CREDS_KEY,
+  CREDS_IV: process.env.CREDS_IV,
+};
+
+process.env.CREDS_KEY = '0123456789abcdef0123456789abcdef';
+process.env.CREDS_IV = '0123456789abcdef';
+
+/** Skip tests if ANTHROPIC_API_KEY is not available */
+const SKIP_INTEGRATION_TESTS = !process.env.ANTHROPIC_API_KEY;
+if (SKIP_INTEGRATION_TESTS) {
+  console.warn('ANTHROPIC_API_KEY not found - skipping integration tests');
+}
+
+jest.mock('meilisearch', () => ({
+  MeiliSearch: jest.fn().mockImplementation(() => ({
+    getIndex: jest.fn().mockRejectedValue(new Error('mocked')),
+    index: jest.fn().mockReturnValue({
+      getRawInfo: jest.fn().mockResolvedValue({ primaryKey: 'id' }),
+      updateSettings: jest.fn().mockResolvedValue({}),
+      addDocuments: jest.fn().mockResolvedValue({}),
+      updateDocuments: jest.fn().mockResolvedValue({}),
+      deleteDocument: jest.fn().mockResolvedValue({}),
+    }),
+  })),
+}));
+
+jest.mock('~/server/services/Config', () => ({
+  loadCustomConfig: jest.fn(() => Promise.resolve({})),
+  getAppConfig: jest.fn().mockResolvedValue({
+    paths: {
+      uploads: '/tmp',
+      dist: '/tmp/dist',
+      fonts: '/tmp/fonts',
+      assets: '/tmp/assets',
+    },
+    fileStrategy: 'local',
+    imageOutputType: 'PNG',
+    endpoints: {
+      agents: {
+        allowedProviders: ['anthropic', 'openAI'],
+      },
+    },
+  }),
+  setCachedTools: jest.fn(),
+  getCachedTools: jest.fn(),
+  getMCPServerTools: jest.fn().mockReturnValue([]),
+}));
+
+jest.mock('~/app/clients/tools', () => ({
+  createOpenAIImageTools: jest.fn(() => []),
+  createYouTubeTools: jest.fn(() => []),
+  manifestToolMap: {},
+  toolkits: [],
+}));
+
+jest.mock('~/config', () => ({
+  createMCPServersRegistry: jest.fn(),
+  createMCPManager: jest.fn().mockResolvedValue({
+    getAppToolFunctions: jest.fn().mockResolvedValue({}),
+  }),
+}));
+
+const express = require('express');
+const request = require('supertest');
+const mongoose = require('mongoose');
+const { v4: uuidv4 } = require('uuid');
+const { MongoMemoryServer } = require('mongodb-memory-server');
+const { hashToken, getRandomValues, createModels } = require('@librechat/data-schemas');
+const {
+  SystemRoles,
+  ResourceType,
+  AccessRoleIds,
+  PrincipalType,
+  PrincipalModel,
+  PermissionBits,
+  EModelEndpoint,
+} = require('librechat-data-provider');
+
+/** @type {import('mongoose').Model} */
+let Agent;
+/** @type {import('mongoose').Model} */
+let AgentApiKey;
+/** @type {import('mongoose').Model} */
+let User;
+/** @type {import('mongoose').Model} */
+let AclEntry;
+/** @type {import('mongoose').Model} */
+let AccessRole;
+
+/**
+ * Parse SSE stream into events
+ * @param {string} text - Raw SSE text
+ * @returns {Array<{event: string, data: unknown}>}
+ */
+function parseSSEEvents(text) {
+  const events = [];
+  const lines = text.split('\n');
+
+  let currentEvent = '';
+  let currentData = '';
+
+  for (const line of lines) {
+    if (line.startsWith('event:')) {
+      currentEvent = line.slice(6).trim();
+    } else if (line.startsWith('data:')) {
+      currentData = line.slice(5).trim();
+    } else if (line === '' && currentData) {
+      if (currentData === '[DONE]') {
+        events.push({ event: 'done', data: '[DONE]' });
+      } else {
+        try {
+          const parsed = JSON.parse(currentData);
+          events.push({
+            event: currentEvent || parsed.type || 'unknown',
+            data: parsed,
+          });
+        } catch {
+          // Skip unparseable data
+        }
+      }
+      currentEvent = '';
+      currentData = '';
+    }
+  }
+
+  return events;
+}
+
+/**
+ * Valid streaming event types per Open Responses specification
+ * @see https://github.com/openresponses/openresponses/blob/main/src/lib/sse-parser.ts
+ */
+const VALID_STREAMING_EVENT_TYPES = new Set([
+  // Standard Open Responses events
+  'response.created',
+  'response.queued',
+  'response.in_progress',
+  'response.completed',
+  'response.failed',
+  'response.incomplete',
+  'response.output_item.added',
+  'response.output_item.done',
+  'response.content_part.added',
+  'response.content_part.done',
+  'response.output_text.delta',
+  'response.output_text.done',
+  'response.refusal.delta',
+  'response.refusal.done',
+  'response.function_call_arguments.delta',
+  'response.function_call_arguments.done',
+  'response.reasoning_summary_part.added',
+  'response.reasoning_summary_part.done',
+  'response.reasoning.delta',
+  'response.reasoning.done',
+  'response.reasoning_summary_text.delta',
+  'response.reasoning_summary_text.done',
+  'response.output_text.annotation.added',
+  'error',
+  // LibreChat extension events (prefixed per Open Responses spec)
+  // @see https://openresponses.org/specification#extending-streaming-events
+  'librechat:attachment',
+]);
+
+/**
+ * Validate a streaming event against Open Responses spec
+ * @param {Object} event - Parsed event with data
+ * @returns {string[]} Array of validation errors
+ */
+function validateStreamingEvent(event) {
+  const errors = [];
+  const data = event.data;
+
+  if (!data || typeof data !== 'object') {
+    return errors; // Skip non-object data (e.g., [DONE])
+  }
+
+  const eventType = data.type;
+
+  // Check event type is valid
+  if (!VALID_STREAMING_EVENT_TYPES.has(eventType)) {
+    errors.push(`Invalid event type: ${eventType}`);
+    return errors;
+  }
+
+  // Validate required fields based on event type
+  switch (eventType) {
+    case 'response.output_text.delta':
+      if (typeof data.sequence_number !== 'number') {
+        errors.push('response.output_text.delta: missing sequence_number');
+      }
+      if (typeof data.item_id !== 'string') {
+        errors.push('response.output_text.delta: missing item_id');
+      }
+      if (typeof data.output_index !== 'number') {
+        errors.push('response.output_text.delta: missing output_index');
+      }
+      if (typeof data.content_index !== 'number') {
+        errors.push('response.output_text.delta: missing content_index');
+      }
+      if (typeof data.delta !== 'string') {
+        errors.push('response.output_text.delta: missing delta');
+      }
+      if (!Array.isArray(data.logprobs)) {
+        errors.push('response.output_text.delta: missing logprobs array');
+      }
+      break;
+
+    case 'response.output_text.done':
+      if (typeof data.sequence_number !== 'number') {
+        errors.push('response.output_text.done: missing sequence_number');
+      }
+      if (typeof data.item_id !== 'string') {
+        errors.push('response.output_text.done: missing item_id');
+      }
+      if (typeof data.output_index !== 'number') {
+        errors.push('response.output_text.done: missing output_index');
+      }
+      if (typeof data.content_index !== 'number') {
+        errors.push('response.output_text.done: missing content_index');
+      }
+      if (typeof data.text !== 'string') {
+        errors.push('response.output_text.done: missing text');
+      }
+      if (!Array.isArray(data.logprobs)) {
+        errors.push('response.output_text.done: missing logprobs array');
+      }
+      break;
+
+    case 'response.reasoning.delta':
+      if (typeof data.sequence_number !== 'number') {
+        errors.push('response.reasoning.delta: missing sequence_number');
+      }
+      if (typeof data.item_id !== 'string') {
+        errors.push('response.reasoning.delta: missing item_id');
+      }
+      if (typeof data.output_index !== 'number') {
+        errors.push('response.reasoning.delta: missing output_index');
+      }
+      if (typeof data.content_index !== 'number') {
+        errors.push('response.reasoning.delta: missing content_index');
+      }
+      if (typeof data.delta !== 'string') {
+        errors.push('response.reasoning.delta: missing delta');
+      }
+      break;
+
+    case 'response.reasoning.done':
+      if (typeof data.sequence_number !== 'number') {
+        errors.push('response.reasoning.done: missing sequence_number');
+      }
+      if (typeof data.item_id !== 'string') {
+        errors.push('response.reasoning.done: missing item_id');
+      }
+      if (typeof data.output_index !== 'number') {
+        errors.push('response.reasoning.done: missing output_index');
+      }
+      if (typeof data.content_index !== 'number') {
+        errors.push('response.reasoning.done: missing content_index');
+      }
+      if (typeof data.text !== 'string') {
+        errors.push('response.reasoning.done: missing text');
+      }
+      break;
+
+    case 'response.in_progress':
+    case 'response.completed':
+    case 'response.failed':
+      if (!data.response || typeof data.response !== 'object') {
+        errors.push(`${eventType}: missing response object`);
+      }
+      break;
+
+    case 'response.output_item.added':
+    case 'response.output_item.done':
+      if (typeof data.output_index !== 'number') {
+        errors.push(`${eventType}: missing output_index`);
+      }
+      if (!data.item || typeof data.item !== 'object') {
+        errors.push(`${eventType}: missing item object`);
+      }
+      break;
+  }
+
+  return errors;
+}
+
+/**
+ * Validate all streaming events and return errors
+ * @param {Array} events - Array of parsed events
+ * @returns {string[]} Array of all validation errors
+ */
+function validateAllStreamingEvents(events) {
+  const allErrors = [];
+  for (const event of events) {
+    const errors = validateStreamingEvent(event);
+    allErrors.push(...errors);
+  }
+  return allErrors;
+}
+
+/**
+ * Create a test agent with Anthropic provider
+ * @param {Object} overrides
+ * @returns {Promise<Object>}
+ */
+async function createTestAgent(overrides = {}) {
+  const timestamp = new Date();
+  const agentData = {
+    id: `agent_${uuidv4().replace(/-/g, '').substring(0, 21)}`,
+    name: 'Test Anthropic Agent',
+    description: 'An agent for testing Open Responses API',
+    instructions: 'You are a helpful assistant. Be concise.',
+    provider: EModelEndpoint.anthropic,
+    model: 'claude-sonnet-4-5-20250929',
+    author: new mongoose.Types.ObjectId(),
+    tools: [],
+    model_parameters: {},
+    ...overrides,
+  };
+
+  const versionData = { ...agentData };
+  delete versionData.author;
+
+  const initialAgentData = {
+    ...agentData,
+    versions: [
+      {
+        ...versionData,
+        createdAt: timestamp,
+        updatedAt: timestamp,
+      },
+    ],
+    category: 'general',
+  };
+
+  return (await Agent.create(initialAgentData)).toObject();
+}
+
+/**
+ * Create an agent with extended thinking enabled
+ * @param {Object} overrides
+ * @returns {Promise<Object>}
+ */
+async function createThinkingAgent(overrides = {}) {
+  return createTestAgent({
+    name: 'Test Thinking Agent',
+    description: 'An agent with extended thinking enabled',
+    model_parameters: {
+      thinking: {
+        type: 'enabled',
+        budget_tokens: 5000,
+      },
+    },
+    ...overrides,
+  });
+}
+
+const describeWithApiKey = SKIP_INTEGRATION_TESTS ? describe.skip : describe;
+
+describeWithApiKey('Open Responses API Integration Tests', () => {
+  // Increase timeout for real API calls
+  jest.setTimeout(120000);
+
+  let mongoServer;
+  let app;
+  let testAgent;
+  let thinkingAgent;
+  let testUser;
+  let testApiKey; // The raw API key for Authorization header
+
+  afterAll(() => {
+    process.env.CREDS_KEY = originalEnv.CREDS_KEY;
+    process.env.CREDS_IV = originalEnv.CREDS_IV;
+  });
+
+  beforeAll(async () => {
+    // Start MongoDB Memory Server
+    mongoServer = await MongoMemoryServer.create();
+    const mongoUri = mongoServer.getUri();
+
+    // Connect to MongoDB
+    await mongoose.connect(mongoUri);
+
+    // Register all models
+    const models = createModels(mongoose);
+
+    // Get models
+    Agent = models.Agent;
+    AgentApiKey = models.AgentApiKey;
+    User = models.User;
+    AclEntry = models.AclEntry;
+    AccessRole = models.AccessRole;
+
+    // Create minimal Express app with just the responses routes
+    app = express();
+    app.use(express.json());
+
+    // Mount the responses routes
+    const responsesRoutes = require('~/server/routes/agents/responses');
+    app.use('/api/agents/v1/responses', responsesRoutes);
+
+    // Create test user
+    testUser = await User.create({
+      name: 'Test API User',
+      username: 'testapiuser',
+      email: 'testapiuser@test.com',
+      emailVerified: true,
+      provider: 'local',
+      role: SystemRoles.ADMIN,
+    });
+
+    // Create REMOTE_AGENT access roles (if they don't exist)
+    const existingRoles = await AccessRole.find({
+      accessRoleId: {
+        $in: [
+          AccessRoleIds.REMOTE_AGENT_VIEWER,
+          AccessRoleIds.REMOTE_AGENT_EDITOR,
+          AccessRoleIds.REMOTE_AGENT_OWNER,
+        ],
+      },
+    });
+
+    if (existingRoles.length === 0) {
+      await AccessRole.create([
+        {
+          accessRoleId: AccessRoleIds.REMOTE_AGENT_VIEWER,
+          name: 'API Viewer',
+          description: 'Can query the agent via API',
+          resourceType: ResourceType.REMOTE_AGENT,
+          permBits: PermissionBits.VIEW,
+        },
+        {
+          accessRoleId: AccessRoleIds.REMOTE_AGENT_EDITOR,
+          name: 'API Editor',
+          description: 'Can view and modify the agent via API',
+          resourceType: ResourceType.REMOTE_AGENT,
+          permBits: PermissionBits.VIEW | PermissionBits.EDIT,
+        },
+        {
+          accessRoleId: AccessRoleIds.REMOTE_AGENT_OWNER,
+          name: 'API Owner',
+          description: 'Full API access + can grant remote access to others',
+          resourceType: ResourceType.REMOTE_AGENT,
+          permBits:
+            PermissionBits.VIEW |
+            PermissionBits.EDIT |
+            PermissionBits.DELETE |
+            PermissionBits.SHARE,
+        },
+      ]);
+    }
+
+    // Generate and create an API key for the test user
+    const rawKey = `sk-${await getRandomValues(32)}`;
+    const keyHash = await hashToken(rawKey);
+    const keyPrefix = rawKey.substring(0, 8);
+
+    await AgentApiKey.create({
+      userId: testUser._id,
+      name: 'Test API Key',
+      keyHash,
+      keyPrefix,
+    });
+
+    testApiKey = rawKey;
+
+    // Create test agents with the test user as author
+    testAgent = await createTestAgent({ author: testUser._id });
+    thinkingAgent = await createThinkingAgent({ author: testUser._id });
+
+    // Grant REMOTE_AGENT permissions for the test agents
+    await AclEntry.create([
+      {
+        principalType: PrincipalType.USER,
+        principalModel: PrincipalModel.USER,
+        principalId: testUser._id,
+        resourceType: ResourceType.REMOTE_AGENT,
+        resourceId: testAgent._id,
+        accessRoleId: AccessRoleIds.REMOTE_AGENT_OWNER,
+        permBits:
+          PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE,
+      },
+      {
+        principalType: PrincipalType.USER,
+        principalModel: PrincipalModel.USER,
+        principalId: testUser._id,
+        resourceType: ResourceType.REMOTE_AGENT,
+        resourceId: thinkingAgent._id,
+        accessRoleId: AccessRoleIds.REMOTE_AGENT_OWNER,
+        permBits:
+          PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE,
+      },
+    ]);
+  }, 60000);
+
+  afterAll(async () => {
+    await mongoose.disconnect();
+    await mongoServer.stop();
+  });
+
+  beforeEach(async () => {
+    // Clean up any test data between tests if needed
+  });
+
+  /* ===========================================================================
+   * COMPLIANCE TESTS
+   * Based on: https://github.com/openresponses/openresponses/blob/main/src/lib/compliance-tests.ts
+   * =========================================================================== */
+
+  /** Helper to add auth header to requests */
+  const authRequest = () => ({
+    post: (url) => request(app).post(url).set('Authorization', `Bearer ${testApiKey}`),
+    get: (url) => request(app).get(url).set('Authorization', `Bearer ${testApiKey}`),
+  });
+
+  describe('Compliance Tests', () => {
+    describe('basic-response', () => {
+      it('should return a valid ResponseResource for a simple text request', async () => {
+        const response = await authRequest()
+          .post('/api/agents/v1/responses')
+          .send({
+            model: testAgent.id,
+            input: [
+              {
+                type: 'message',
+                role: 'user',
+                content: 'Say hello in exactly 3 words.',
+              },
+            ],
+          });
+
+        expect(response.status).toBe(200);
+        expect(response.body).toBeDefined();
+
+        // Validate ResponseResource schema
+        const body = response.body;
+        expect(body.id).toMatch(/^resp_/);
+        expect(body.object).toBe('response');
+        expect(typeof body.created_at).toBe('number');
+        expect(body.status).toBe('completed');
+        expect(body.model).toBe(testAgent.id);
+
+        // Validate output
+        expect(Array.isArray(body.output)).toBe(true);
+        expect(body.output.length).toBeGreaterThan(0);
+
+        // Should have at least one message item
+        const messageItem = body.output.find((item) => item.type === 'message');
+        expect(messageItem).toBeDefined();
+        expect(messageItem.role).toBe('assistant');
+        expect(messageItem.status).toBe('completed');
+        expect(Array.isArray(messageItem.content)).toBe(true);
+      });
+    });
+
+    describe('streaming-response', () => {
+      it('should return valid SSE streaming events', async () => {
+        const response = await authRequest()
+          .post('/api/agents/v1/responses')
+          .send({
+            model: testAgent.id,
+            input: [
+              {
+                type: 'message',
+                role: 'user',
+                content: 'Count from 1 to 5.',
+              },
+            ],
+            stream: true,
+          })
+          .buffer(true)
+          .parse((res, callback) => {
+            let data = '';
+            res.on('data', (chunk) => {
+              data += chunk.toString();
+            });
+            res.on('end', () => {
+              callback(null, data);
+            });
+          });
+
+        expect(response.status).toBe(200);
+        expect(response.headers['content-type']).toMatch(/text\/event-stream/);
+
+        const events = parseSSEEvents(response.body);
+        expect(events.length).toBeGreaterThan(0);
+
+        // Validate all streaming events against Open Responses spec
+        // This catches issues like:
+        // - Invalid event types (e.g., response.reasoning_text.delta instead of response.reasoning.delta)
+        // - Missing required fields (e.g., logprobs on output_text events)
+        const validationErrors = validateAllStreamingEvents(events);
+        if (validationErrors.length > 0) {
+          console.error('Streaming event validation errors:', validationErrors);
+        }
+        expect(validationErrors).toEqual([]);
+
+        // Validate streaming event types
+        const eventTypes = events.map((e) => e.event);
+
+        // Should have response.created first (per Open Responses spec)
+        expect(eventTypes).toContain('response.created');
+
+        // Should have response.in_progress
+        expect(eventTypes).toContain('response.in_progress');
+
+        // response.created should come before response.in_progress
+        const createdIdx = eventTypes.indexOf('response.created');
+        const inProgressIdx = eventTypes.indexOf('response.in_progress');
+        expect(createdIdx).toBeLessThan(inProgressIdx);
+
+        // Should have response.completed or response.failed
+        expect(eventTypes.some((t) => t === 'response.completed' || t === 'response.failed')).toBe(
+          true,
+        );
+
+        // Should have [DONE]
+        expect(eventTypes).toContain('done');
+
+        // Validate response.completed has full response
+        const completedEvent = events.find((e) => e.event === 'response.completed');
+        if (completedEvent) {
+          expect(completedEvent.data.response).toBeDefined();
+          expect(completedEvent.data.response.status).toBe('completed');
+          expect(completedEvent.data.response.output.length).toBeGreaterThan(0);
+        }
+      });
+
+      it('should emit valid event types per Open Responses spec', async () => {
+        const response = await authRequest()
+          .post('/api/agents/v1/responses')
+          .send({
+            model: testAgent.id,
+            input: [
+              {
+                type: 'message',
+                role: 'user',
+                content: 'Say hi.',
+              },
+            ],
+            stream: true,
+          })
+          .buffer(true)
+          .parse((res, callback) => {
+            let data = '';
+            res.on('data', (chunk) => {
+              data += chunk.toString();
+            });
+            res.on('end', () => {
+              callback(null, data);
+            });
+          });
+
+        expect(response.status).toBe(200);
+
+        const events = parseSSEEvents(response.body);
+
+        // Check all event types are valid
+        for (const event of events) {
+          if (event.data && typeof event.data === 'object' && event.data.type) {
+            expect(VALID_STREAMING_EVENT_TYPES.has(event.data.type)).toBe(true);
+          }
+        }
+      });
+
+      it('should include logprobs array in output_text events', async () => {
+        const response = await authRequest()
+          .post('/api/agents/v1/responses')
+          .send({
+            model: testAgent.id,
+            input: [
+              {
+                type: 'message',
+                role: 'user',
+                content: 'Say one word.',
+              },
+            ],
+            stream: true,
+          })
+          .buffer(true)
+          .parse((res, callback) => {
+            let data = '';
+            res.on('data', (chunk) => {
+              data += chunk.toString();
+            });
+            res.on('end', () => {
+              callback(null, data);
+            });
+          });
+
+        expect(response.status).toBe(200);
+
+        const events = parseSSEEvents(response.body);
+
+        // Find output_text delta/done events and verify logprobs
+        const textDeltaEvents = events.filter(
+          (e) => e.data && e.data.type === 'response.output_text.delta',
+        );
+        const textDoneEvents = events.filter(
+          (e) => e.data && e.data.type === 'response.output_text.done',
+        );
+
+        // Should have at least one output_text event
+        expect(textDeltaEvents.length + textDoneEvents.length).toBeGreaterThan(0);
+
+        // All output_text.delta events must have logprobs array
+        for (const event of textDeltaEvents) {
+          expect(Array.isArray(event.data.logprobs)).toBe(true);
+        }
+
+        // All output_text.done events must have logprobs array
+        for (const event of textDoneEvents) {
+          expect(Array.isArray(event.data.logprobs)).toBe(true);
+        }
+      });
+    });
+
+    describe('system-prompt', () => {
+      it('should handle developer role messages in input (as system)', async () => {
+        // Note: For Anthropic, system messages must be first and there can only be one.
+        // Since the agent already has instructions, we use 'developer' role which
+        // gets merged into the system prompt, or we test with a simple user message
+        // that instructs the behavior.
+        const response = await authRequest()
+          .post('/api/agents/v1/responses')
+          .send({
+            model: testAgent.id,
+            input: [
+              {
+                type: 'message',
+                role: 'user',
+                content: 'Pretend you are a pirate and say hello in pirate speak.',
+              },
+            ],
+          });
+
+        expect(response.status).toBe(200);
+        expect(response.body.status).toBe('completed');
+        expect(response.body.output.length).toBeGreaterThan(0);
+
+        // The response should reflect the pirate persona
+        const messageItem = response.body.output.find((item) => item.type === 'message');
+        expect(messageItem).toBeDefined();
+        expect(messageItem.content.length).toBeGreaterThan(0);
+      });
+    });
+
+    describe('multi-turn', () => {
+      it('should handle multi-turn conversation history', async () => {
+        const response = await authRequest()
+          .post('/api/agents/v1/responses')
+          .send({
+            model: testAgent.id,
+            input: [
+              {
+                type: 'message',
+                role: 'user',
+                content: 'My name is Alice.',
+              },
+              {
+                type: 'message',
+                role: 'assistant',
+                content: 'Hello Alice! Nice to meet you. How can I help you today?',
+              },
+              {
+                type: 'message',
+                role: 'user',
+                content: 'What is my name?',
+              },
+            ],
+          });
+
+        expect(response.status).toBe(200);
+        expect(response.body.status).toBe('completed');
+
+        // The response should reference "Alice"
+        const messageItem = response.body.output.find((item) => item.type === 'message');
+        expect(messageItem).toBeDefined();
+
+        const textContent = messageItem.content.find((c) => c.type === 'output_text');
+        expect(textContent).toBeDefined();
+        expect(textContent.text.toLowerCase()).toContain('alice');
+      });
+    });
+
+    // Note: tool-calling test requires tool setup which may need additional configuration
+    // Note: image-input test requires vision-capable model
+
+    describe('string-input', () => {
+      it('should accept simple string input', async () => {
+        const response = await authRequest().post('/api/agents/v1/responses').send({
+          model: testAgent.id,
+          input: 'Hello!',
+        });
+
+        expect(response.status).toBe(200);
+        expect(response.body.status).toBe('completed');
+        expect(response.body.output.length).toBeGreaterThan(0);
+      });
+    });
+  });
+
+  /* ===========================================================================
+   * EXTENDED THINKING TESTS
+   * Tests reasoning output from Claude models with extended thinking enabled
+   * =========================================================================== */
+
+  describe('Extended Thinking', () => {
+    it('should return reasoning output when thinking is enabled', async () => {
+      const response = await authRequest()
+        .post('/api/agents/v1/responses')
+        .send({
+          model: thinkingAgent.id,
+          input: [
+            {
+              type: 'message',
+              role: 'user',
+              content: 'What is 15 * 7? Think step by step.',
+            },
+          ],
+        });
+
+      expect(response.status).toBe(200);
+      expect(response.body.status).toBe('completed');
+
+      // Check for reasoning item in output
+      const reasoningItem = response.body.output.find((item) => item.type === 'reasoning');
+      // If reasoning is present, validate its structure per Open Responses spec
+      // Note: reasoning items do NOT have a 'status' field per the spec
+      // @see https://github.com/openresponses/openresponses/blob/main/src/generated/kubb/zod/reasoningBodySchema.ts
+      if (reasoningItem) {
+        expect(reasoningItem).toHaveProperty('id');
+        expect(reasoningItem).toHaveProperty('type', 'reasoning');
+        // Note: 'status' is NOT a field on reasoning items per the spec
+        expect(reasoningItem).toHaveProperty('summary');
+        expect(Array.isArray(reasoningItem.summary)).toBe(true);
+
+        // Validate content items
+        if (reasoningItem.content && reasoningItem.content.length > 0) {
+          const reasoningContent = reasoningItem.content[0];
+          expect(reasoningContent).toHaveProperty('type', 'reasoning_text');
+          expect(reasoningContent).toHaveProperty('text');
+        }
+      }
+
+      const messageItem = response.body.output.find((item) => item.type === 'message');
+      expect(messageItem).toBeDefined();
+    });
+
+    it('should stream reasoning events when thinking is enabled', async () => {
+      const response = await authRequest()
+        .post('/api/agents/v1/responses')
+        .send({
+          model: thinkingAgent.id,
+          input: [
+            {
+              type: 'message',
+              role: 'user',
+              content: 'What is 12 + 8? Think step by step.',
+            },
+          ],
+          stream: true,
+        })
+        .buffer(true)
+        .parse((res, callback) => {
+          let data = '';
+          res.on('data', (chunk) => {
+            data += chunk.toString();
+          });
+          res.on('end', () => {
+            callback(null, data);
+          });
+        });
+
+      expect(response.status).toBe(200);
+
+      const events = parseSSEEvents(response.body);
+
+      // Validate all events against Open Responses spec
+      const validationErrors = validateAllStreamingEvents(events);
+      if (validationErrors.length > 0) {
+        console.error('Reasoning streaming event validation errors:', validationErrors);
+      }
+      expect(validationErrors).toEqual([]);
+
+      // Check for reasoning-related events using correct event types per Open Responses spec
+      // Note: The spec uses response.reasoning.delta NOT response.reasoning_text.delta
+      const reasoningDeltaEvents = events.filter(
+        (e) => e.data && e.data.type === 'response.reasoning.delta',
+      );
+      const reasoningDoneEvents = events.filter(
+        (e) => e.data && e.data.type === 'response.reasoning.done',
+      );
+
+      // If reasoning events are present, validate their structure
+      if (reasoningDeltaEvents.length > 0) {
+        const deltaEvent = reasoningDeltaEvents[0];
+        expect(deltaEvent.data).toHaveProperty('item_id');
+        expect(deltaEvent.data).toHaveProperty('delta');
+        expect(deltaEvent.data).toHaveProperty('output_index');
+        expect(deltaEvent.data).toHaveProperty('content_index');
+        expect(deltaEvent.data).toHaveProperty('sequence_number');
+      }
+
+      if (reasoningDoneEvents.length > 0) {
+        const doneEvent = reasoningDoneEvents[0];
+        expect(doneEvent.data).toHaveProperty('item_id');
+        expect(doneEvent.data).toHaveProperty('text');
+        expect(doneEvent.data).toHaveProperty('output_index');
+        expect(doneEvent.data).toHaveProperty('content_index');
+        expect(doneEvent.data).toHaveProperty('sequence_number');
+      }
+
+      // Verify stream completed properly
+      const eventTypes = events.map((e) => e.event);
+      expect(eventTypes).toContain('response.completed');
+    });
+  });
+
+  /* ===========================================================================
+   * SCHEMA VALIDATION TESTS
+   * Verify response schema compliance
+   * =========================================================================== */
+
+  describe('Schema Validation', () => {
+    it('should include all required fields in response', async () => {
+      const response = await authRequest().post('/api/agents/v1/responses').send({
+        model: testAgent.id,
+        input: 'Test',
+      });
+
+      expect(response.status).toBe(200);
+      const body = response.body;
+
+      // Required fields per Open Responses spec
+      expect(body).toHaveProperty('id');
+      expect(body).toHaveProperty('object', 'response');
+      expect(body).toHaveProperty('created_at');
+      expect(body).toHaveProperty('completed_at');
+      expect(body).toHaveProperty('status');
+      expect(body).toHaveProperty('model');
+      expect(body).toHaveProperty('output');
+      expect(body).toHaveProperty('tools');
+      expect(body).toHaveProperty('tool_choice');
+      expect(body).toHaveProperty('truncation');
+      expect(body).toHaveProperty('parallel_tool_calls');
+      expect(body).toHaveProperty('text');
+      expect(body).toHaveProperty('temperature');
+      expect(body).toHaveProperty('top_p');
+      expect(body).toHaveProperty('presence_penalty');
+      expect(body).toHaveProperty('frequency_penalty');
+      expect(body).toHaveProperty('top_logprobs');
+      expect(body).toHaveProperty('store');
+      expect(body).toHaveProperty('background');
+      expect(body).toHaveProperty('service_tier');
+      expect(body).toHaveProperty('metadata');
+
+      // top_logprobs must be a number (not null)
+      expect(typeof body.top_logprobs).toBe('number');
+
+      // Usage must have required detail fields
+      expect(body).toHaveProperty('usage');
+      expect(body.usage).toHaveProperty('input_tokens');
+      expect(body.usage).toHaveProperty('output_tokens');
+      expect(body.usage).toHaveProperty('total_tokens');
+      expect(body.usage).toHaveProperty('input_tokens_details');
+      expect(body.usage).toHaveProperty('output_tokens_details');
+      expect(body.usage.input_tokens_details).toHaveProperty('cached_tokens');
+      expect(body.usage.output_tokens_details).toHaveProperty('reasoning_tokens');
+    });
+
+    it('should have valid message item structure', async () => {
+      const response = await authRequest().post('/api/agents/v1/responses').send({
+        model: testAgent.id,
+        input: 'Hello',
+      });
+
+      expect(response.status).toBe(200);
+
+      const messageItem = response.body.output.find((item) => item.type === 'message');
+      expect(messageItem).toBeDefined();
+
+      // Message item required fields
+      expect(messageItem).toHaveProperty('type', 'message');
+      expect(messageItem).toHaveProperty('id');
+      expect(messageItem).toHaveProperty('status');
+      expect(messageItem).toHaveProperty('role', 'assistant');
+      expect(messageItem).toHaveProperty('content');
+      expect(Array.isArray(messageItem.content)).toBe(true);
+
+      // Content part structure - verify all required fields
+      if (messageItem.content.length > 0) {
+        const textContent = messageItem.content.find((c) => c.type === 'output_text');
+        if (textContent) {
+          expect(textContent).toHaveProperty('type', 'output_text');
+          expect(textContent).toHaveProperty('text');
+          expect(textContent).toHaveProperty('annotations');
+          expect(textContent).toHaveProperty('logprobs');
+          expect(Array.isArray(textContent.annotations)).toBe(true);
+          expect(Array.isArray(textContent.logprobs)).toBe(true);
+        }
+      }
+
+      // Verify reasoning item has required summary field
+      const reasoningItem = response.body.output.find((item) => item.type === 'reasoning');
+      if (reasoningItem) {
+        expect(reasoningItem).toHaveProperty('type', 'reasoning');
+        expect(reasoningItem).toHaveProperty('id');
+        expect(reasoningItem).toHaveProperty('summary');
+        expect(Array.isArray(reasoningItem.summary)).toBe(true);
+      }
+    });
+  });
+
+  /* ===========================================================================
+   * RESPONSE STORAGE TESTS
+   * Tests for store: true and GET /v1/responses/:id
+   * =========================================================================== */
+
+  describe('Response Storage', () => {
+    it('should store response when store: true and retrieve it', async () => {
+      // Create a stored response
+      const createResponse = await authRequest().post('/api/agents/v1/responses').send({
+        model: testAgent.id,
+        input: 'Remember this: The answer is 42.',
+        store: true,
+      });
+
+      expect(createResponse.status).toBe(200);
+      expect(createResponse.body.status).toBe('completed');
+
+      const responseId = createResponse.body.id;
+      expect(responseId).toMatch(/^resp_/);
+
+      // Small delay to ensure database write completes
+      await new Promise((resolve) => setTimeout(resolve, 500));
+
+      // Retrieve the stored response
+      const getResponseResult = await authRequest().get(`/api/agents/v1/responses/${responseId}`);
+
+      // Note: The response might be stored under conversationId, not responseId
+      // If we get 404, that's expected behavior for now since we store by conversationId
+      if (getResponseResult.status === 200) {
+        expect(getResponseResult.body.object).toBe('response');
+        expect(getResponseResult.body.status).toBe('completed');
+        expect(getResponseResult.body.output.length).toBeGreaterThan(0);
+      }
+    });
+
+    it('should return 404 for non-existent response', async () => {
+      const response = await authRequest().get('/api/agents/v1/responses/resp_nonexistent123');
+
+      expect(response.status).toBe(404);
+      expect(response.body.error).toBeDefined();
+    });
+  });
+
+  /* ===========================================================================
+   * ERROR HANDLING TESTS
+   * =========================================================================== */
+
+  describe('Error Handling', () => {
+    it('should return error for missing model', async () => {
+      const response = await authRequest().post('/api/agents/v1/responses').send({
+        input: 'Hello',
+      });
+
+      expect(response.status).toBe(400);
+      expect(response.body.error).toBeDefined();
+    });
+
+    it('should return error for missing input', async () => {
+      const response = await authRequest().post('/api/agents/v1/responses').send({
+        model: testAgent.id,
+      });
+
+      expect(response.status).toBe(400);
+      expect(response.body.error).toBeDefined();
+    });
+
+    it('should return error for non-existent agent', async () => {
+      const response = await authRequest().post('/api/agents/v1/responses').send({
+        model: 'agent_nonexistent123456789',
+        input: 'Hello',
+      });
+
+      expect(response.status).toBe(404);
+      expect(response.body.error).toBeDefined();
+    });
+  });
+
+  /* ===========================================================================
+   * MODELS ENDPOINT TESTS
+   * =========================================================================== */
+
+  describe('GET /v1/responses/models', () => {
+    it('should list available agents as models', async () => {
+      const response = await authRequest().get('/api/agents/v1/responses/models');
+
+      expect(response.status).toBe(200);
+      expect(response.body.object).toBe('list');
+      expect(Array.isArray(response.body.data)).toBe(true);
+
+      // Should include our test agent
+      const foundAgent = response.body.data.find((m) => m.id === testAgent.id);
+      expect(foundAgent).toBeDefined();
+      expect(foundAgent.object).toBe('model');
+      expect(foundAgent.name).toBe(testAgent.name);
+    });
+  });
+});
diff --git a/api/server/routes/agents/index.js b/api/server/routes/agents/index.js
index bf790aeee8c6..f8d39cb4d82b 100644
--- a/api/server/routes/agents/index.js
+++ b/api/server/routes/agents/index.js
@@ -10,6 +10,8 @@ const {
   messageUserLimiter,
 } = require('~/server/middleware');
 const { saveMessage } = require('~/models');
+const openai = require('./openai');
+const responses = require('./responses');
 const { v1 } = require('./v1');
 const chat = require('./chat');
 
@@ -17,6 +19,20 @@ const { LIMIT_MESSAGE_IP, LIMIT_MESSAGE_USER } = process.env ?? {};
 
 const router = express.Router();
 
+/**
+ * Open Responses API routes (API key authentication handled in route file)
+ * Mounted at /agents/v1/responses (full path: /api/agents/v1/responses)
+ * NOTE: Must be mounted BEFORE /v1 to avoid being caught by the less specific route
+ * @see https://openresponses.org/specification
+ */
+router.use('/v1/responses', responses);
+
+/**
+ * OpenAI-compatible API routes (API key authentication handled in route file)
+ * Mounted at /agents/v1 (full path: /api/agents/v1/chat/completions)
+ */
+router.use('/v1', openai);
+
 router.use(requireJwtAuth);
 router.use(checkBan);
 router.use(uaParser);
diff --git a/api/server/routes/agents/openai.js b/api/server/routes/agents/openai.js
new file mode 100644
index 000000000000..9a0d9a356452
--- /dev/null
+++ b/api/server/routes/agents/openai.js
@@ -0,0 +1,110 @@
+/**
+ * OpenAI-compatible API routes for LibreChat agents.
+ *
+ * Provides a /v1/chat/completions compatible interface for
+ * interacting with LibreChat agents remotely via API.
+ *
+ * Usage:
+ *   POST /v1/chat/completions - Chat with an agent
+ *   GET /v1/models - List available agents
+ *   GET /v1/models/:model - Get agent details
+ *
+ * Request format:
+ *   {
+ *     "model": "agent_id_here",
+ *     "messages": [{"role": "user", "content": "Hello!"}],
+ *     "stream": true
+ *   }
+ */
+const express = require('express');
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const {
+  generateCheckAccess,
+  createRequireApiKeyAuth,
+  createCheckRemoteAgentAccess,
+} = require('@librechat/api');
+const {
+  OpenAIChatCompletionController,
+  ListModelsController,
+  GetModelController,
+} = require('~/server/controllers/agents/openai');
+const { getEffectivePermissions } = require('~/server/services/PermissionService');
+const { validateAgentApiKey, findUser } = require('~/models');
+const { configMiddleware } = require('~/server/middleware');
+const { getRoleByName } = require('~/models/Role');
+const { getAgent } = require('~/models/Agent');
+
+const router = express.Router();
+
+const requireApiKeyAuth = createRequireApiKeyAuth({
+  validateAgentApiKey,
+  findUser,
+});
+
+const checkRemoteAgentsFeature = generateCheckAccess({
+  permissionType: PermissionTypes.REMOTE_AGENTS,
+  permissions: [Permissions.USE],
+  getRoleByName,
+});
+
+const checkAgentPermission = createCheckRemoteAgentAccess({
+  getAgent,
+  getEffectivePermissions,
+});
+
+router.use(requireApiKeyAuth);
+router.use(configMiddleware);
+router.use(checkRemoteAgentsFeature);
+
+/**
+ * @route POST /v1/chat/completions
+ * @desc OpenAI-compatible chat completions with agents
+ * @access Private (API key auth required)
+ *
+ * Request body:
+ * {
+ *   "model": "agent_id",        // Required: The agent ID to use
+ *   "messages": [...],          // Required: Array of chat messages
+ *   "stream": true,             // Optional: Whether to stream (default: false)
+ *   "conversation_id": "...",   // Optional: Conversation ID for context
+ *   "parent_message_id": "..."  // Optional: Parent message for threading
+ * }
+ *
+ * Response (streaming):
+ * - SSE stream with OpenAI chat.completion.chunk format
+ * - Includes delta.reasoning for thinking/reasoning content
+ *
+ * Response (non-streaming):
+ * - Standard OpenAI chat.completion format
+ */
+router.post('/chat/completions', checkAgentPermission, OpenAIChatCompletionController);
+
+/**
+ * @route GET /v1/models
+ * @desc List available agents as models
+ * @access Private (API key auth required)
+ *
+ * Response:
+ * {
+ *   "object": "list",
+ *   "data": [
+ *     {
+ *       "id": "agent_id",
+ *       "object": "model",
+ *       "name": "Agent Name",
+ *       "provider": "openai",
+ *       ...
+ *     }
+ *   ]
+ * }
+ */
+router.get('/models', ListModelsController);
+
+/**
+ * @route GET /v1/models/:model
+ * @desc Get details for a specific agent/model
+ * @access Private (API key auth required)
+ */
+router.get('/models/:model', GetModelController);
+
+module.exports = router;
diff --git a/api/server/routes/agents/responses.js b/api/server/routes/agents/responses.js
new file mode 100644
index 000000000000..431942e921c9
--- /dev/null
+++ b/api/server/routes/agents/responses.js
@@ -0,0 +1,144 @@
+/**
+ * Open Responses API routes for LibreChat agents.
+ *
+ * Implements the Open Responses specification for a forward-looking,
+ * agentic API that uses items as the fundamental unit and semantic
+ * streaming events.
+ *
+ * Usage:
+ *   POST /v1/responses - Create a response
+ *   GET /v1/models - List available agents
+ *
+ * Request format:
+ *   {
+ *     "model": "agent_id_here",
+ *     "input": "Hello!" or [{ type: "message", role: "user", content: "Hello!" }],
+ *     "stream": true,
+ *     "previous_response_id": "optional_conversation_id"
+ *   }
+ *
+ * @see https://openresponses.org/specification
+ */
+const express = require('express');
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const {
+  generateCheckAccess,
+  createRequireApiKeyAuth,
+  createCheckRemoteAgentAccess,
+} = require('@librechat/api');
+const {
+  createResponse,
+  getResponse,
+  listModels,
+} = require('~/server/controllers/agents/responses');
+const { getEffectivePermissions } = require('~/server/services/PermissionService');
+const { validateAgentApiKey, findUser } = require('~/models');
+const { configMiddleware } = require('~/server/middleware');
+const { getRoleByName } = require('~/models/Role');
+const { getAgent } = require('~/models/Agent');
+
+const router = express.Router();
+
+const requireApiKeyAuth = createRequireApiKeyAuth({
+  validateAgentApiKey,
+  findUser,
+});
+
+const checkRemoteAgentsFeature = generateCheckAccess({
+  permissionType: PermissionTypes.REMOTE_AGENTS,
+  permissions: [Permissions.USE],
+  getRoleByName,
+});
+
+const checkAgentPermission = createCheckRemoteAgentAccess({
+  getAgent,
+  getEffectivePermissions,
+});
+
+router.use(requireApiKeyAuth);
+router.use(configMiddleware);
+router.use(checkRemoteAgentsFeature);
+
+/**
+ * @route POST /v1/responses
+ * @desc Create a model response following Open Responses specification
+ * @access Private (API key auth required)
+ *
+ * Request body:
+ * {
+ *   "model": "agent_id",                // Required: The agent ID to use
+ *   "input": "..." | [...],             // Required: String or array of input items
+ *   "stream": true,                     // Optional: Whether to stream (default: false)
+ *   "previous_response_id": "...",      // Optional: Previous response for continuation
+ *   "instructions": "...",              // Optional: Additional instructions
+ *   "tools": [...],                     // Optional: Additional tools
+ *   "tool_choice": "auto",              // Optional: Tool choice mode
+ *   "max_output_tokens": 4096,          // Optional: Max tokens
+ *   "temperature": 0.7                  // Optional: Temperature
+ * }
+ *
+ * Response (streaming):
+ * - SSE stream with semantic events:
+ *   - response.in_progress
+ *   - response.output_item.added
+ *   - response.content_part.added
+ *   - response.output_text.delta
+ *   - response.output_text.done
+ *   - response.function_call_arguments.delta
+ *   - response.output_item.done
+ *   - response.completed
+ *   - [DONE]
+ *
+ * Response (non-streaming):
+ * {
+ *   "id": "resp_xxx",
+ *   "object": "response",
+ *   "created_at": 1234567890,
+ *   "status": "completed",
+ *   "model": "agent_id",
+ *   "output": [...],                    // Array of output items
+ *   "usage": { ... }
+ * }
+ */
+router.post('/', checkAgentPermission, createResponse);
+
+/**
+ * @route GET /v1/responses/models
+ * @desc List available agents as models
+ * @access Private (API key auth required)
+ *
+ * Response:
+ * {
+ *   "object": "list",
+ *   "data": [
+ *     {
+ *       "id": "agent_id",
+ *       "object": "model",
+ *       "name": "Agent Name",
+ *       "provider": "openai",
+ *       ...
+ *     }
+ *   ]
+ * }
+ */
+router.get('/models', listModels);
+
+/**
+ * @route GET /v1/responses/:id
+ * @desc Retrieve a stored response by ID
+ * @access Private (API key auth required)
+ *
+ * Response:
+ * {
+ *   "id": "resp_xxx",
+ *   "object": "response",
+ *   "created_at": 1234567890,
+ *   "status": "completed",
+ *   "model": "agent_id",
+ *   "output": [...],
+ *   "usage": { ... }
+ * }
+ */
+router.get('/:id', getResponse);
+
+module.exports = router;
diff --git a/api/server/routes/apiKeys.js b/api/server/routes/apiKeys.js
new file mode 100644
index 000000000000..29dcc326f5e3
--- /dev/null
+++ b/api/server/routes/apiKeys.js
@@ -0,0 +1,36 @@
+const express = require('express');
+const { generateCheckAccess, createApiKeyHandlers } = require('@librechat/api');
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const {
+  getAgentApiKeyById,
+  createAgentApiKey,
+  deleteAgentApiKey,
+  listAgentApiKeys,
+} = require('~/models');
+const { requireJwtAuth } = require('~/server/middleware');
+const { getRoleByName } = require('~/models/Role');
+
+const router = express.Router();
+
+const handlers = createApiKeyHandlers({
+  createAgentApiKey,
+  listAgentApiKeys,
+  deleteAgentApiKey,
+  getAgentApiKeyById,
+});
+
+const checkRemoteAgentsUse = generateCheckAccess({
+  permissionType: PermissionTypes.REMOTE_AGENTS,
+  permissions: [Permissions.USE],
+  getRoleByName,
+});
+
+router.post('/', requireJwtAuth, checkRemoteAgentsUse, handlers.createApiKey);
+
+router.get('/', requireJwtAuth, checkRemoteAgentsUse, handlers.listApiKeys);
+
+router.get('/:id', requireJwtAuth, checkRemoteAgentsUse, handlers.getApiKey);
+
+router.delete('/:id', requireJwtAuth, checkRemoteAgentsUse, handlers.deleteApiKey);
+
+module.exports = router;
diff --git a/api/server/routes/index.js b/api/server/routes/index.js
index f3571099cb5c..6a48919db337 100644
--- a/api/server/routes/index.js
+++ b/api/server/routes/index.js
@@ -1,6 +1,7 @@
 const accessPermissions = require('./accessPermissions');
 const assistants = require('./assistants');
 const categories = require('./categories');
+const adminAuth = require('./admin/auth');
 const endpoints = require('./endpoints');
 const staticRoute = require('./static');
 const messages = require('./messages');
@@ -9,6 +10,7 @@ const presets = require('./presets');
 const prompts = require('./prompts');
 const balance = require('./balance');
 const actions = require('./actions');
+const apiKeys = require('./apiKeys');
 const banner = require('./banner');
 const search = require('./search');
 const models = require('./models');
@@ -28,7 +30,9 @@ const mcp = require('./mcp');
 module.exports = {
   mcp,
   auth,
+  adminAuth,
   keys,
+  apiKeys,
   user,
   tags,
   roles,
diff --git a/api/server/routes/oauth.js b/api/server/routes/oauth.js
index 64d29210ac17..4a2e2f70c616 100644
--- a/api/server/routes/oauth.js
+++ b/api/server/routes/oauth.js
@@ -4,10 +4,9 @@ const passport = require('passport');
 const { randomState } = require('openid-client');
 const { logger } = require('@librechat/data-schemas');
 const { ErrorTypes } = require('librechat-data-provider');
-const { isEnabled, createSetBalanceConfig } = require('@librechat/api');
-const { checkDomainAllowed, loginLimiter, logHeaders, checkBan } = require('~/server/middleware');
-const { syncUserEntraGroupMemberships } = require('~/server/services/PermissionService');
-const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
+const { createSetBalanceConfig } = require('@librechat/api');
+const { checkDomainAllowed, loginLimiter, logHeaders } = require('~/server/middleware');
+const { createOAuthHandler } = require('~/server/controllers/auth/oauth');
 const { getAppConfig } = require('~/server/services/Config');
 const { Balance } = require('~/db/models');
 
@@ -26,32 +25,7 @@ const domains = {
 router.use(logHeaders);
 router.use(loginLimiter);
 
-const oauthHandler = async (req, res, next) => {
-  try {
-    if (res.headersSent) {
-      return;
-    }
-
-    await checkBan(req, res);
-    if (req.banned) {
-      return;
-    }
-    if (
-      req.user &&
-      req.user.provider == 'openid' &&
-      isEnabled(process.env.OPENID_REUSE_TOKENS) === true
-    ) {
-      await syncUserEntraGroupMemberships(req.user, req.user.tokenset.access_token);
-      setOpenIDAuthTokens(req.user.tokenset, req, res, req.user._id.toString());
-    } else {
-      await setAuthTokens(req.user._id, res);
-    }
-    res.redirect(domains.client);
-  } catch (err) {
-    logger.error('Error in setting authentication tokens:', err);
-    next(err);
-  }
-};
+const oauthHandler = createOAuthHandler();
 
 router.get('/error', (req, res) => {
   /** A single error message is pushed by passport when authentication fails. */
diff --git a/api/server/routes/roles.js b/api/server/routes/roles.js
index abb53141bda9..12e18c7624ec 100644
--- a/api/server/routes/roles.js
+++ b/api/server/routes/roles.js
@@ -6,9 +6,10 @@ const {
   agentPermissionsSchema,
   promptPermissionsSchema,
   memoryPermissionsSchema,
+  mcpServersPermissionsSchema,
   marketplacePermissionsSchema,
   peoplePickerPermissionsSchema,
-  mcpServersPermissionsSchema,
+  remoteAgentsPermissionsSchema,
 } = require('librechat-data-provider');
 const { checkAdmin, requireJwtAuth } = require('~/server/middleware');
 const { updateRoleByName, getRoleByName } = require('~/models/Role');
@@ -51,6 +52,11 @@ const permissionConfigs = {
     permissionType: PermissionTypes.MARKETPLACE,
     errorMessage: 'Invalid marketplace permissions.',
   },
+  'remote-agents': {
+    schema: remoteAgentsPermissionsSchema,
+    permissionType: PermissionTypes.REMOTE_AGENTS,
+    errorMessage: 'Invalid remote agents permissions.',
+  },
 };
 
 /**
@@ -160,4 +166,10 @@ router.put('/:roleName/mcp-servers', checkAdmin, createPermissionUpdateHandler('
  */
 router.put('/:roleName/marketplace', checkAdmin, createPermissionUpdateHandler('marketplace'));
 
+/**
+ * PUT /api/roles/:roleName/remote-agents
+ * Update remote agents (API) permissions for a specific role
+ */
+router.put('/:roleName/remote-agents', checkAdmin, createPermissionUpdateHandler('remote-agents'));
+
 module.exports = router;
diff --git a/api/server/services/AuthService.js b/api/server/services/AuthService.js
index a400bce8b7d3..ab1b9c56530c 100644
--- a/api/server/services/AuthService.js
+++ b/api/server/services/AuthService.js
@@ -6,8 +6,14 @@ const {
   DEFAULT_SESSION_EXPIRY,
   DEFAULT_REFRESH_TOKEN_EXPIRY,
 } = require('@librechat/data-schemas');
+const {
+  math,
+  isEnabled,
+  checkEmailConfig,
+  isEmailDomainAllowed,
+  extractSubFromAccessToken,
+} = require('@librechat/api');
 const { ErrorTypes, SystemRoles, errorsToString } = require('librechat-data-provider');
-const { isEnabled, checkEmailConfig, isEmailDomainAllowed, math } = require('@librechat/api');
 const {
   findUser,
   findToken,
@@ -490,6 +496,27 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) =
         sameSite: 'strict',
       });
     }
+
+    if (isEnabled(process.env.OPENID_EXPOSE_SUB_COOKIE)) {
+      if (!process.env.JWT_REFRESH_SECRET) {
+        logger.error(
+          '[setOpenIDAuthTokens] JWT_REFRESH_SECRET not configured for openid_sub cookie',
+        );
+        return tokenset.access_token;
+      }
+      const { sub } = extractSubFromAccessToken(tokenset.access_token);
+      if (sub) {
+        const signedSub = jwt.sign({ sub }, process.env.JWT_REFRESH_SECRET, {
+          expiresIn: expiryInMilliseconds / 1000,
+        });
+        res.cookie('openid_sub', signedSub, {
+          expires: expirationDate,
+          httpOnly: true,
+          secure: isProduction,
+          sameSite: 'lax',
+        });
+      }
+    }
     return tokenset.access_token;
   } catch (error) {
     logger.error('[setOpenIDAuthTokens] Error in setting authentication tokens:', error);
diff --git a/api/server/services/Config/loadConfigModels.js b/api/server/services/Config/loadConfigModels.js
index 6354d10331b6..2bc83ecc3aaa 100644
--- a/api/server/services/Config/loadConfigModels.js
+++ b/api/server/services/Config/loadConfigModels.js
@@ -28,6 +28,11 @@ async function loadConfigModels(req) {
     modelsConfig[EModelEndpoint.azureAssistants] = azureConfig.assistantModels;
   }
 
+  const bedrockConfig = appConfig.endpoints?.[EModelEndpoint.bedrock];
+  if (bedrockConfig?.models && Array.isArray(bedrockConfig.models)) {
+    modelsConfig[EModelEndpoint.bedrock] = bedrockConfig.models;
+  }
+
   if (!Array.isArray(appConfig.endpoints?.[EModelEndpoint.custom])) {
     return modelsConfig;
   }
diff --git a/api/server/services/Endpoints/agents/addedConvo.js b/api/server/services/Endpoints/agents/addedConvo.js
index 240622ed9f1a..7e9385267aeb 100644
--- a/api/server/services/Endpoints/agents/addedConvo.js
+++ b/api/server/services/Endpoints/agents/addedConvo.js
@@ -31,6 +31,7 @@ setGetAgent(getAgent);
  * @param {Function} params.loadTools - Function to load agent tools
  * @param {Array} params.requestFiles - Request files
  * @param {string} params.conversationId - The conversation ID
+ * @param {string} [params.parentMessageId] - The parent message ID for thread filtering
  * @param {Set} params.allowedProviders - Set of allowed providers
  * @param {Map} params.agentConfigs - Map of agent configs to add to
  * @param {string} params.primaryAgentId - The primary agent ID
@@ -46,6 +47,7 @@ const processAddedConvo = async ({
   loadTools,
   requestFiles,
   conversationId,
+  parentMessageId,
   allowedProviders,
   agentConfigs,
   primaryAgentId,
@@ -91,6 +93,7 @@ const processAddedConvo = async ({
         loadTools,
         requestFiles,
         conversationId,
+        parentMessageId,
         agent: addedAgent,
         endpointOption,
         allowedProviders,
@@ -99,9 +102,12 @@ const processAddedConvo = async ({
         getConvoFiles,
         getFiles: db.getFiles,
         getUserKey: db.getUserKey,
+        getMessages: db.getMessages,
         updateFilesUsage: db.updateFilesUsage,
+        getUserCodeFiles: db.getUserCodeFiles,
         getUserKeyValues: db.getUserKeyValues,
         getToolFilesByIds: db.getToolFilesByIds,
+        getCodeGeneratedFiles: db.getCodeGeneratedFiles,
       },
     );
 
diff --git a/api/server/services/Endpoints/agents/initialize.js b/api/server/services/Endpoints/agents/initialize.js
index a6914801198d..65d38c022615 100644
--- a/api/server/services/Endpoints/agents/initialize.js
+++ b/api/server/services/Endpoints/agents/initialize.js
@@ -44,13 +44,23 @@ function createToolLoader(signal, streamId = null) {
    * @param {string} params.model
    * @param {AgentToolResources} params.tool_resources
    * @returns {Promise<{
-   * tools: StructuredTool[],
-   * toolContextMap: Record<string, unknown>,
-   * userMCPAuthMap?: Record<string, Record<string, string>>
+   *   tools: StructuredTool[],
+   *   toolContextMap: Record<string, unknown>,
+   *   userMCPAuthMap?: Record<string, Record<string, string>>,
+   *   toolRegistry?: import('@librechat/agents').LCToolRegistry
    * } | undefined>}
    */
-  return async function loadTools({ req, res, agentId, tools, provider, model, tool_resources }) {
-    const agent = { id: agentId, tools, provider, model };
+  return async function loadTools({
+    req,
+    res,
+    tools,
+    model,
+    agentId,
+    provider,
+    tool_options,
+    tool_resources,
+  }) {
+    const agent = { id: agentId, tools, provider, model, tool_options };
     try {
       return await loadAgentTools({
         req,
@@ -120,6 +130,8 @@ const initializeClient = async ({ req, res, signal, endpointOption }) => {
   const requestFiles = req.body.files ?? [];
   /** @type {string} */
   const conversationId = req.body.conversationId;
+  /** @type {string | undefined} */
+  const parentMessageId = req.body.parentMessageId;
 
   const primaryConfig = await initializeAgent(
     {
@@ -128,6 +140,7 @@ const initializeClient = async ({ req, res, signal, endpointOption }) => {
       loadTools,
       requestFiles,
       conversationId,
+      parentMessageId,
       agent: primaryAgent,
       endpointOption,
       allowedProviders,
@@ -137,9 +150,12 @@ const initializeClient = async ({ req, res, signal, endpointOption }) => {
       getConvoFiles,
       getFiles: db.getFiles,
       getUserKey: db.getUserKey,
+      getMessages: db.getMessages,
       updateFilesUsage: db.updateFilesUsage,
       getUserKeyValues: db.getUserKeyValues,
+      getUserCodeFiles: db.getUserCodeFiles,
       getToolFilesByIds: db.getToolFilesByIds,
+      getCodeGeneratedFiles: db.getCodeGeneratedFiles,
     },
   );
 
@@ -179,6 +195,7 @@ const initializeClient = async ({ req, res, signal, endpointOption }) => {
         loadTools,
         requestFiles,
         conversationId,
+        parentMessageId,
         endpointOption,
         allowedProviders,
       },
@@ -186,9 +203,12 @@ const initializeClient = async ({ req, res, signal, endpointOption }) => {
         getConvoFiles,
         getFiles: db.getFiles,
         getUserKey: db.getUserKey,
+        getMessages: db.getMessages,
         updateFilesUsage: db.updateFilesUsage,
         getUserKeyValues: db.getUserKeyValues,
+        getUserCodeFiles: db.getUserCodeFiles,
         getToolFilesByIds: db.getToolFilesByIds,
+        getCodeGeneratedFiles: db.getCodeGeneratedFiles,
       },
     );
     if (userMCPAuthMap != null) {
@@ -243,17 +263,18 @@ const initializeClient = async ({ req, res, signal, endpointOption }) => {
   const { userMCPAuthMap: updatedMCPAuthMap } = await processAddedConvo({
     req,
     res,
-    endpointOption,
-    modelsConfig,
-    logViolation,
     loadTools,
+    logViolation,
+    modelsConfig,
     requestFiles,
-    conversationId,
-    allowedProviders,
     agentConfigs,
-    primaryAgentId: primaryConfig.id,
     primaryAgent,
+    endpointOption,
     userMCPAuthMap,
+    conversationId,
+    parentMessageId,
+    allowedProviders,
+    primaryAgentId: primaryConfig.id,
   });
 
   if (updatedMCPAuthMap) {
diff --git a/api/server/services/Files/Code/process.js b/api/server/services/Files/Code/process.js
index 15df6de0d665..b7e7f5655263 100644
--- a/api/server/services/Files/Code/process.js
+++ b/api/server/services/Files/Code/process.js
@@ -6,27 +6,112 @@ const { getCodeBaseURL } = require('@librechat/agents');
 const { logAxiosError, getBasePath } = require('@librechat/api');
 const {
   Tools,
+  megabyte,
+  fileConfig,
   FileContext,
   FileSources,
   imageExtRegex,
+  inferMimeType,
   EToolResources,
+  EModelEndpoint,
+  mergeFileConfig,
+  getEndpointFileConfig,
 } = require('librechat-data-provider');
 const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { convertImage } = require('~/server/services/Files/images/convert');
 const { createFile, getFiles, updateFile } = require('~/models');
+const { determineFileType } = require('~/server/utils');
 
 /**
- * Process OpenAI image files, convert to target format, save and return file metadata.
+ * Creates a fallback download URL response when file cannot be processed locally.
+ * Used when: file exceeds size limit, storage strategy unavailable, or download error occurs.
+ * @param {Object} params - The parameters.
+ * @param {string} params.name - The filename.
+ * @param {string} params.session_id - The code execution session ID.
+ * @param {string} params.id - The file ID from the code environment.
+ * @param {string} params.conversationId - The current conversation ID.
+ * @param {string} params.toolCallId - The tool call ID that generated the file.
+ * @param {string} params.messageId - The current message ID.
+ * @param {number} params.expiresAt - Expiration timestamp (24 hours from creation).
+ * @returns {Object} Fallback response with download URL.
+ */
+const createDownloadFallback = ({
+  id,
+  name,
+  messageId,
+  expiresAt,
+  session_id,
+  toolCallId,
+  conversationId,
+}) => {
+  const basePath = getBasePath();
+  return {
+    filename: name,
+    filepath: `${basePath}/api/files/code/download/${session_id}/${id}`,
+    expiresAt,
+    conversationId,
+    toolCallId,
+    messageId,
+  };
+};
+
+/**
+ * Find an existing code-generated file by filename in the conversation.
+ * Used to update existing files instead of creating duplicates.
+ *
+ * ## Deduplication Strategy
+ *
+ * Files are deduplicated by `(conversationId, filename)` - NOT including `messageId`.
+ * This is an intentional design decision to handle iterative code development patterns:
+ *
+ * **Rationale:**
+ * - When users iteratively refine code (e.g., "regenerate that chart with red bars"),
+ *   the same logical file (e.g., "chart.png") is produced multiple times
+ * - Without deduplication, each iteration would create a new file, leading to storage bloat
+ * - The latest version is what matters for re-upload to the code environment
+ *
+ * **Implications:**
+ * - Different messages producing files with the same name will update the same file record
+ * - The `messageId` field tracks which message last updated the file
+ * - The `usage` counter tracks how many times the file has been generated
+ *
+ * **Future Considerations:**
+ * - If file versioning is needed, consider adding a `versions` array or separate version collection
+ * - The current approach prioritizes storage efficiency over history preservation
+ *
+ * @param {string} filename - The filename to search for.
+ * @param {string} conversationId - The conversation ID.
+ * @returns {Promise<MongoFile | null>} The existing file or null.
+ */
+const findExistingCodeFile = async (filename, conversationId) => {
+  if (!filename || !conversationId) {
+    return null;
+  }
+  const files = await getFiles(
+    {
+      filename,
+      conversationId,
+      context: FileContext.execute_code,
+    },
+    { createdAt: -1 },
+    { text: 0 },
+  );
+  return files?.[0] ?? null;
+};
+
+/**
+ * Process code execution output files - downloads and saves both images and non-image files.
+ * All files are saved to local storage with fileIdentifier metadata for code env re-upload.
  * @param {ServerRequest} params.req - The Express request object.
- * @param {string} params.id - The file ID.
+ * @param {string} params.id - The file ID from the code environment.
  * @param {string} params.name - The filename.
  * @param {string} params.apiKey - The code execution API key.
  * @param {string} params.toolCallId - The tool call ID that generated the file.
  * @param {string} params.session_id - The code execution session ID.
  * @param {string} params.conversationId - The current conversation ID.
  * @param {string} params.messageId - The current message ID.
- * @returns {Promise<MongoFile & { messageId: string, toolCallId: string } | { filename: string; filepath: string; expiresAt: number; conversationId: string; toolCallId: string; messageId: string } | undefined>} The file metadata or undefined if an error occurs.
+ * @returns {Promise<MongoFile & { messageId: string, toolCallId: string } | undefined>} The file metadata or undefined if an error occurs.
  */
 const processCodeOutput = async ({
   req,
@@ -41,19 +126,15 @@ const processCodeOutput = async ({
   const appConfig = req.config;
   const currentDate = new Date();
   const baseURL = getCodeBaseURL();
-  const basePath = getBasePath();
-  const fileExt = path.extname(name);
-  if (!fileExt || !imageExtRegex.test(name)) {
-    return {
-      filename: name,
-      filepath: `${basePath}/api/files/code/download/${session_id}/${id}`,
-      /** Note: expires 24 hours after creation */
-      expiresAt: currentDate.getTime() + 86400000,
-      conversationId,
-      toolCallId,
-      messageId,
-    };
-  }
+  const fileExt = path.extname(name).toLowerCase();
+  const isImage = fileExt && imageExtRegex.test(name);
+
+  const mergedFileConfig = mergeFileConfig(appConfig.fileConfig);
+  const endpointFileConfig = getEndpointFileConfig({
+    fileConfig: mergedFileConfig,
+    endpoint: EModelEndpoint.agents,
+  });
+  const fileSizeLimit = endpointFileConfig.fileSizeLimit ?? mergedFileConfig.serverFileSizeLimit;
 
   try {
     const formattedDate = currentDate.toISOString();
@@ -70,29 +151,135 @@ const processCodeOutput = async ({
 
     const buffer = Buffer.from(response.data, 'binary');
 
-    const file_id = v4();
-    const _file = await convertImage(req, buffer, 'high', `${file_id}${fileExt}`);
+    // Enforce file size limit
+    if (buffer.length > fileSizeLimit) {
+      logger.warn(
+        `[processCodeOutput] File "${name}" (${(buffer.length / megabyte).toFixed(2)} MB) exceeds size limit of ${(fileSizeLimit / megabyte).toFixed(2)} MB, falling back to download URL`,
+      );
+      return createDownloadFallback({
+        id,
+        name,
+        messageId,
+        toolCallId,
+        session_id,
+        conversationId,
+        expiresAt: currentDate.getTime() + 86400000,
+      });
+    }
+
+    const fileIdentifier = `${session_id}/${id}`;
+
+    /**
+     * Check for existing file with same filename in this conversation.
+     * If found, we'll update it instead of creating a duplicate.
+     */
+    const existingFile = await findExistingCodeFile(name, conversationId);
+    const file_id = existingFile?.file_id ?? v4();
+    const isUpdate = !!existingFile;
+
+    if (isUpdate) {
+      logger.debug(
+        `[processCodeOutput] Updating existing file "${name}" (${file_id}) instead of creating duplicate`,
+      );
+    }
+
+    if (isImage) {
+      const _file = await convertImage(req, buffer, 'high', `${file_id}${fileExt}`);
+      const file = {
+        ..._file,
+        file_id,
+        messageId,
+        usage: isUpdate ? (existingFile.usage ?? 0) + 1 : 1,
+        filename: name,
+        conversationId,
+        user: req.user.id,
+        type: `image/${appConfig.imageOutputType}`,
+        createdAt: isUpdate ? existingFile.createdAt : formattedDate,
+        updatedAt: formattedDate,
+        source: appConfig.fileStrategy,
+        context: FileContext.execute_code,
+        metadata: { fileIdentifier },
+      };
+      createFile(file, true);
+      return Object.assign(file, { messageId, toolCallId });
+    }
+
+    // For non-image files, save to configured storage strategy
+    const { saveBuffer } = getStrategyFunctions(appConfig.fileStrategy);
+    if (!saveBuffer) {
+      logger.warn(
+        `[processCodeOutput] saveBuffer not available for strategy ${appConfig.fileStrategy}, falling back to download URL`,
+      );
+      return createDownloadFallback({
+        id,
+        name,
+        messageId,
+        toolCallId,
+        session_id,
+        conversationId,
+        expiresAt: currentDate.getTime() + 86400000,
+      });
+    }
+
+    // Determine MIME type from buffer or extension
+    const detectedType = await determineFileType(buffer, true);
+    const mimeType = detectedType?.mime || inferMimeType(name, '') || 'application/octet-stream';
+
+    /** Check MIME type support - for code-generated files, we're lenient but log unsupported types */
+    const isSupportedMimeType = fileConfig.checkType(
+      mimeType,
+      endpointFileConfig.supportedMimeTypes,
+    );
+    if (!isSupportedMimeType) {
+      logger.warn(
+        `[processCodeOutput] File "${name}" has unsupported MIME type "${mimeType}", proceeding with storage but may not be usable as tool resource`,
+      );
+    }
+
+    const fileName = `${file_id}__${name}`;
+    const filepath = await saveBuffer({
+      userId: req.user.id,
+      buffer,
+      fileName,
+      basePath: 'uploads',
+    });
+
     const file = {
-      ..._file,
       file_id,
-      usage: 1,
+      filepath,
+      messageId,
+      object: 'file',
       filename: name,
+      type: mimeType,
       conversationId,
       user: req.user.id,
-      type: `image/${appConfig.imageOutputType}`,
-      createdAt: formattedDate,
+      bytes: buffer.length,
       updatedAt: formattedDate,
+      metadata: { fileIdentifier },
       source: appConfig.fileStrategy,
       context: FileContext.execute_code,
+      usage: isUpdate ? (existingFile.usage ?? 0) + 1 : 1,
+      createdAt: isUpdate ? existingFile.createdAt : formattedDate,
     };
+
     createFile(file, true);
-    /** Note: `messageId` & `toolCallId` are not part of file DB schema; message object records associated file ID */
     return Object.assign(file, { messageId, toolCallId });
   } catch (error) {
     logAxiosError({
-      message: 'Error downloading code environment file',
+      message: 'Error downloading/processing code environment file',
       error,
     });
+
+    // Fallback for download errors - return download URL so user can still manually download
+    return createDownloadFallback({
+      id,
+      name,
+      messageId,
+      toolCallId,
+      session_id,
+      conversationId,
+      expiresAt: currentDate.getTime() + 86400000,
+    });
   }
 };
 
@@ -204,9 +391,16 @@ const primeFiles = async (options, apiKey) => {
         if (!toolContext) {
           toolContext = `- Note: The following files are available in the "${Tools.execute_code}" tool environment:`;
         }
-        toolContext += `\n\t- /mnt/data/${file.filename}${
-          agentResourceIds.has(file.file_id) ? '' : ' (just attached by user)'
-        }`;
+
+        let fileSuffix = '';
+        if (!agentResourceIds.has(file.file_id)) {
+          fileSuffix =
+            file.context === FileContext.execute_code
+              ? ' (from previous code execution)'
+              : ' (attached by user)';
+        }
+
+        toolContext += `\n\t- /mnt/data/${file.filename}${fileSuffix}`;
         files.push({
           id,
           session_id,
diff --git a/api/server/services/Files/Code/process.spec.js b/api/server/services/Files/Code/process.spec.js
new file mode 100644
index 000000000000..7e15888876fe
--- /dev/null
+++ b/api/server/services/Files/Code/process.spec.js
@@ -0,0 +1,418 @@
+// Configurable file size limit for tests - use a getter so it can be changed per test
+const fileSizeLimitConfig = { value: 20 * 1024 * 1024 }; // Default 20MB
+
+// Mock librechat-data-provider with configurable file size limit
+jest.mock('librechat-data-provider', () => {
+  const actual = jest.requireActual('librechat-data-provider');
+  return {
+    ...actual,
+    mergeFileConfig: jest.fn((config) => {
+      const merged = actual.mergeFileConfig(config);
+      // Override the serverFileSizeLimit with our test value
+      return {
+        ...merged,
+        get serverFileSizeLimit() {
+          return fileSizeLimitConfig.value;
+        },
+      };
+    }),
+    getEndpointFileConfig: jest.fn((options) => {
+      const config = actual.getEndpointFileConfig(options);
+      // Override fileSizeLimit with our test value
+      return {
+        ...config,
+        get fileSizeLimit() {
+          return fileSizeLimitConfig.value;
+        },
+      };
+    }),
+  };
+});
+
+const { FileContext } = require('librechat-data-provider');
+
+// Mock uuid
+jest.mock('uuid', () => ({
+  v4: jest.fn(() => 'mock-uuid-1234'),
+}));
+
+// Mock axios
+jest.mock('axios');
+const axios = require('axios');
+
+// Mock logger
+jest.mock('@librechat/data-schemas', () => ({
+  logger: {
+    warn: jest.fn(),
+    debug: jest.fn(),
+    error: jest.fn(),
+  },
+}));
+
+// Mock getCodeBaseURL
+jest.mock('@librechat/agents', () => ({
+  getCodeBaseURL: jest.fn(() => 'https://code-api.example.com'),
+}));
+
+// Mock logAxiosError and getBasePath
+jest.mock('@librechat/api', () => ({
+  logAxiosError: jest.fn(),
+  getBasePath: jest.fn(() => ''),
+}));
+
+// Mock models
+jest.mock('~/models', () => ({
+  createFile: jest.fn(),
+  getFiles: jest.fn(),
+  updateFile: jest.fn(),
+}));
+
+// Mock permissions (must be before process.js import)
+jest.mock('~/server/services/Files/permissions', () => ({
+  filterFilesByAgentAccess: jest.fn((options) => Promise.resolve(options.files)),
+}));
+
+// Mock strategy functions
+jest.mock('~/server/services/Files/strategies', () => ({
+  getStrategyFunctions: jest.fn(),
+}));
+
+// Mock convertImage
+jest.mock('~/server/services/Files/images/convert', () => ({
+  convertImage: jest.fn(),
+}));
+
+// Mock determineFileType
+jest.mock('~/server/utils', () => ({
+  determineFileType: jest.fn(),
+}));
+
+const { createFile, getFiles } = require('~/models');
+const { getStrategyFunctions } = require('~/server/services/Files/strategies');
+const { convertImage } = require('~/server/services/Files/images/convert');
+const { determineFileType } = require('~/server/utils');
+const { logger } = require('@librechat/data-schemas');
+
+// Import after mocks
+const { processCodeOutput } = require('./process');
+
+describe('Code Process', () => {
+  const mockReq = {
+    user: { id: 'user-123' },
+    config: {
+      fileConfig: {},
+      fileStrategy: 'local',
+      imageOutputType: 'webp',
+    },
+  };
+
+  const baseParams = {
+    req: mockReq,
+    id: 'file-id-123',
+    name: 'test-file.txt',
+    apiKey: 'test-api-key',
+    toolCallId: 'tool-call-123',
+    conversationId: 'conv-123',
+    messageId: 'msg-123',
+    session_id: 'session-123',
+  };
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    // Default mock implementations
+    getFiles.mockResolvedValue(null);
+    createFile.mockResolvedValue({});
+    getStrategyFunctions.mockReturnValue({
+      saveBuffer: jest.fn().mockResolvedValue('/uploads/mock-file-path.txt'),
+    });
+    determineFileType.mockResolvedValue({ mime: 'text/plain' });
+  });
+
+  describe('findExistingCodeFile (via processCodeOutput)', () => {
+    it('should find existing file by filename and conversationId', async () => {
+      const existingFile = {
+        file_id: 'existing-file-id',
+        filename: 'test-file.txt',
+        usage: 2,
+        createdAt: '2024-01-01T00:00:00.000Z',
+      };
+      getFiles.mockResolvedValue([existingFile]);
+
+      const smallBuffer = Buffer.alloc(100);
+      axios.mockResolvedValue({ data: smallBuffer });
+
+      const result = await processCodeOutput(baseParams);
+
+      // Verify getFiles was called with correct deduplication query
+      expect(getFiles).toHaveBeenCalledWith(
+        {
+          filename: 'test-file.txt',
+          conversationId: 'conv-123',
+          context: FileContext.execute_code,
+        },
+        { createdAt: -1 },
+        { text: 0 },
+      );
+
+      // Verify the existing file_id was reused
+      expect(result.file_id).toBe('existing-file-id');
+      // Verify usage was incremented
+      expect(result.usage).toBe(3);
+      // Verify original createdAt was preserved
+      expect(result.createdAt).toBe('2024-01-01T00:00:00.000Z');
+    });
+
+    it('should create new file when no existing file found', async () => {
+      getFiles.mockResolvedValue(null);
+
+      const smallBuffer = Buffer.alloc(100);
+      axios.mockResolvedValue({ data: smallBuffer });
+
+      const result = await processCodeOutput(baseParams);
+
+      // Should use the mocked uuid
+      expect(result.file_id).toBe('mock-uuid-1234');
+      // Should have usage of 1 for new file
+      expect(result.usage).toBe(1);
+    });
+
+    it('should return null for invalid inputs (empty filename)', async () => {
+      const smallBuffer = Buffer.alloc(100);
+      axios.mockResolvedValue({ data: smallBuffer });
+
+      // The function handles this internally - with empty name
+      // findExistingCodeFile returns null early for empty filename (guard clause)
+      const result = await processCodeOutput({ ...baseParams, name: '' });
+
+      // getFiles should NOT be called due to early return in findExistingCodeFile
+      expect(getFiles).not.toHaveBeenCalled();
+      // A new file_id should be generated since no existing file was found
+      expect(result.file_id).toBe('mock-uuid-1234');
+    });
+  });
+
+  describe('processCodeOutput', () => {
+    describe('image file processing', () => {
+      it('should process image files using convertImage', async () => {
+        const imageParams = { ...baseParams, name: 'chart.png' };
+        const imageBuffer = Buffer.alloc(500);
+        axios.mockResolvedValue({ data: imageBuffer });
+
+        const convertedFile = {
+          filepath: '/uploads/converted-image.webp',
+          bytes: 400,
+        };
+        convertImage.mockResolvedValue(convertedFile);
+        getFiles.mockResolvedValue(null);
+
+        const result = await processCodeOutput(imageParams);
+
+        expect(convertImage).toHaveBeenCalledWith(
+          mockReq,
+          imageBuffer,
+          'high',
+          'mock-uuid-1234.png',
+        );
+        expect(result.type).toBe('image/webp');
+        expect(result.context).toBe(FileContext.execute_code);
+        expect(result.filename).toBe('chart.png');
+      });
+
+      it('should update existing image file and increment usage', async () => {
+        const imageParams = { ...baseParams, name: 'chart.png' };
+        const existingFile = {
+          file_id: 'existing-img-id',
+          usage: 1,
+          createdAt: '2024-01-01T00:00:00.000Z',
+        };
+        getFiles.mockResolvedValue([existingFile]);
+
+        const imageBuffer = Buffer.alloc(500);
+        axios.mockResolvedValue({ data: imageBuffer });
+        convertImage.mockResolvedValue({ filepath: '/uploads/img.webp' });
+
+        const result = await processCodeOutput(imageParams);
+
+        expect(result.file_id).toBe('existing-img-id');
+        expect(result.usage).toBe(2);
+        expect(logger.debug).toHaveBeenCalledWith(
+          expect.stringContaining('Updating existing file'),
+        );
+      });
+    });
+
+    describe('non-image file processing', () => {
+      it('should process non-image files using saveBuffer', async () => {
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+
+        const mockSaveBuffer = jest.fn().mockResolvedValue('/uploads/saved-file.txt');
+        getStrategyFunctions.mockReturnValue({ saveBuffer: mockSaveBuffer });
+        determineFileType.mockResolvedValue({ mime: 'text/plain' });
+
+        const result = await processCodeOutput(baseParams);
+
+        expect(mockSaveBuffer).toHaveBeenCalledWith({
+          userId: 'user-123',
+          buffer: smallBuffer,
+          fileName: 'mock-uuid-1234__test-file.txt',
+          basePath: 'uploads',
+        });
+        expect(result.type).toBe('text/plain');
+        expect(result.filepath).toBe('/uploads/saved-file.txt');
+        expect(result.bytes).toBe(100);
+      });
+
+      it('should detect MIME type from buffer', async () => {
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+        determineFileType.mockResolvedValue({ mime: 'application/pdf' });
+
+        const result = await processCodeOutput({ ...baseParams, name: 'document.pdf' });
+
+        expect(determineFileType).toHaveBeenCalledWith(smallBuffer, true);
+        expect(result.type).toBe('application/pdf');
+      });
+
+      it('should fallback to application/octet-stream for unknown types', async () => {
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+        determineFileType.mockResolvedValue(null);
+
+        const result = await processCodeOutput({ ...baseParams, name: 'unknown.xyz' });
+
+        expect(result.type).toBe('application/octet-stream');
+      });
+    });
+
+    describe('file size limit enforcement', () => {
+      it('should fallback to download URL when file exceeds size limit', async () => {
+        // Set a small file size limit for this test
+        fileSizeLimitConfig.value = 1000; // 1KB limit
+
+        const largeBuffer = Buffer.alloc(5000); // 5KB - exceeds 1KB limit
+        axios.mockResolvedValue({ data: largeBuffer });
+
+        const result = await processCodeOutput(baseParams);
+
+        expect(logger.warn).toHaveBeenCalledWith(expect.stringContaining('exceeds size limit'));
+        expect(result.filepath).toContain('/api/files/code/download/session-123/file-id-123');
+        expect(result.expiresAt).toBeDefined();
+        // Should not call createFile for oversized files (fallback path)
+        expect(createFile).not.toHaveBeenCalled();
+
+        // Reset to default for other tests
+        fileSizeLimitConfig.value = 20 * 1024 * 1024;
+      });
+    });
+
+    describe('fallback behavior', () => {
+      it('should fallback to download URL when saveBuffer is not available', async () => {
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+        getStrategyFunctions.mockReturnValue({ saveBuffer: null });
+
+        const result = await processCodeOutput(baseParams);
+
+        expect(logger.warn).toHaveBeenCalledWith(
+          expect.stringContaining('saveBuffer not available'),
+        );
+        expect(result.filepath).toContain('/api/files/code/download/');
+        expect(result.filename).toBe('test-file.txt');
+      });
+
+      it('should fallback to download URL on axios error', async () => {
+        axios.mockRejectedValue(new Error('Network error'));
+
+        const result = await processCodeOutput(baseParams);
+
+        expect(result.filepath).toContain('/api/files/code/download/session-123/file-id-123');
+        expect(result.conversationId).toBe('conv-123');
+        expect(result.messageId).toBe('msg-123');
+        expect(result.toolCallId).toBe('tool-call-123');
+      });
+    });
+
+    describe('usage counter increment', () => {
+      it('should set usage to 1 for new files', async () => {
+        getFiles.mockResolvedValue(null);
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+
+        const result = await processCodeOutput(baseParams);
+
+        expect(result.usage).toBe(1);
+      });
+
+      it('should increment usage for existing files', async () => {
+        const existingFile = { file_id: 'existing-id', usage: 5, createdAt: '2024-01-01' };
+        getFiles.mockResolvedValue([existingFile]);
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+
+        const result = await processCodeOutput(baseParams);
+
+        expect(result.usage).toBe(6);
+      });
+
+      it('should handle existing file with undefined usage', async () => {
+        const existingFile = { file_id: 'existing-id', createdAt: '2024-01-01' };
+        getFiles.mockResolvedValue([existingFile]);
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+
+        const result = await processCodeOutput(baseParams);
+
+        // (undefined ?? 0) + 1 = 1
+        expect(result.usage).toBe(1);
+      });
+    });
+
+    describe('metadata and file properties', () => {
+      it('should include fileIdentifier in metadata', async () => {
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+
+        const result = await processCodeOutput(baseParams);
+
+        expect(result.metadata).toEqual({
+          fileIdentifier: 'session-123/file-id-123',
+        });
+      });
+
+      it('should set correct context for code-generated files', async () => {
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+
+        const result = await processCodeOutput(baseParams);
+
+        expect(result.context).toBe(FileContext.execute_code);
+      });
+
+      it('should include toolCallId and messageId in result', async () => {
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+
+        const result = await processCodeOutput(baseParams);
+
+        expect(result.toolCallId).toBe('tool-call-123');
+        expect(result.messageId).toBe('msg-123');
+      });
+
+      it('should call createFile with upsert enabled', async () => {
+        const smallBuffer = Buffer.alloc(100);
+        axios.mockResolvedValue({ data: smallBuffer });
+
+        await processCodeOutput(baseParams);
+
+        expect(createFile).toHaveBeenCalledWith(
+          expect.objectContaining({
+            file_id: 'mock-uuid-1234',
+            context: FileContext.execute_code,
+          }),
+          true, // upsert flag
+        );
+      });
+    });
+  });
+});
diff --git a/api/server/services/Files/Local/crud.js b/api/server/services/Files/Local/crud.js
index db553f57ddc0..b43ab7532619 100644
--- a/api/server/services/Files/Local/crud.js
+++ b/api/server/services/Files/Local/crud.js
@@ -67,7 +67,12 @@ async function saveLocalBuffer({ userId, buffer, fileName, basePath = 'images' }
   try {
     const { publicPath, uploads } = paths;
 
-    const directoryPath = path.join(basePath === 'images' ? publicPath : uploads, basePath, userId);
+    /**
+     * For 'images': save to publicPath/images/userId (images are served statically)
+     * For 'uploads': save to uploads/userId (files downloaded via API)
+     * */
+    const directoryPath =
+      basePath === 'images' ? path.join(publicPath, basePath, userId) : path.join(uploads, userId);
 
     if (!fs.existsSync(directoryPath)) {
       fs.mkdirSync(directoryPath, { recursive: true });
diff --git a/api/server/services/MCP.js b/api/server/services/MCP.js
index 81d7107de40c..df1e637b1bb3 100644
--- a/api/server/services/MCP.js
+++ b/api/server/services/MCP.js
@@ -29,6 +29,7 @@ const {
   getMCPManager,
 } = require('~/config');
 const { findToken, createToken, updateToken } = require('~/models');
+const { getGraphApiToken } = require('./GraphTokenService');
 const { reinitMCPServer } = require('./Tools/mcp');
 const { getAppConfig } = require('./Config');
 const { getLogStores } = require('~/cache');
@@ -501,6 +502,7 @@ function createToolInstance({
         },
         oauthStart,
         oauthEnd,
+        graphTokenResolver: getGraphApiToken,
       });
 
       if (isAssistantsEndpoint(provider) && Array.isArray(result)) {
@@ -548,6 +550,7 @@ function createToolInstance({
   });
   toolInstance.mcp = true;
   toolInstance.mcpRawServerName = serverName;
+  toolInstance.mcpJsonSchema = parameters;
   return toolInstance;
 }
 
diff --git a/api/server/services/MCP.spec.js b/api/server/services/MCP.spec.js
index cb2f0081a3d9..5d7eb093be68 100644
--- a/api/server/services/MCP.spec.js
+++ b/api/server/services/MCP.spec.js
@@ -120,6 +120,10 @@ jest.mock('./Tools/mcp', () => ({
   reinitMCPServer: jest.fn(),
 }));
 
+jest.mock('./GraphTokenService', () => ({
+  getGraphApiToken: jest.fn(),
+}));
+
 describe('tests for the new helper functions used by the MCP connection status endpoints', () => {
   let mockGetMCPManager;
   let mockGetFlowStateManager;
diff --git a/api/server/services/PermissionService.js b/api/server/services/PermissionService.js
index c35faf7c8d91..a843f48f6fe0 100644
--- a/api/server/services/PermissionService.js
+++ b/api/server/services/PermissionService.js
@@ -141,7 +141,6 @@ const checkPermission = async ({ userId, role, resourceType, resourceId, require
 
     validateResourceType(resourceType);
 
-    // Get all principals for the user (user + groups + public)
     const principals = await getUserPrincipals({ userId, role });
 
     if (principals.length === 0) {
@@ -151,7 +150,6 @@ const checkPermission = async ({ userId, role, resourceType, resourceId, require
     return await hasPermission(principals, resourceType, resourceId, requiredPermission);
   } catch (error) {
     logger.error(`[PermissionService.checkPermission] Error: ${error.message}`);
-    // Re-throw validation errors
     if (error.message.includes('requiredPermission must be')) {
       throw error;
     }
@@ -172,12 +170,12 @@ const getEffectivePermissions = async ({ userId, role, resourceType, resourceId
   try {
     validateResourceType(resourceType);
 
-    // Get all principals for the user (user + groups + public)
     const principals = await getUserPrincipals({ userId, role });
 
     if (principals.length === 0) {
       return 0;
     }
+
     return await getEffectivePermissionsACL(principals, resourceType, resourceId);
   } catch (error) {
     logger.error(`[PermissionService.getEffectivePermissions] Error: ${error.message}`);
diff --git a/api/server/services/ToolService.js b/api/server/services/ToolService.js
index 62d25b23eb70..f72b4169dc57 100644
--- a/api/server/services/ToolService.js
+++ b/api/server/services/ToolService.js
@@ -6,6 +6,7 @@ const {
   hasCustomUserVars,
   getUserMCPAuthMap,
   isActionDomainAllowed,
+  buildToolClassification,
 } = require('@librechat/api');
 const {
   Tools,
@@ -36,6 +37,7 @@ const { recordUsage } = require('~/server/services/Threads');
 const { loadTools } = require('~/app/clients/tools/util');
 const { redactMessage } = require('~/config/parsers');
 const { findPluginAuthsByKeys } = require('~/models');
+const { loadAuthValues } = require('~/server/services/Tools/credentials');
 /**
  * Processes the required actions by calling the appropriate tools and returning the outputs.
  * @param {OpenAIClient} client - OpenAI or StreamRunManager Client.
@@ -367,7 +369,13 @@ async function processRequiredActions(client, requiredActions) {
  * @param {AbortSignal} params.signal
  * @param {Pick<Agent, 'id' | 'provider' | 'model' | 'tools'} params.agent - The agent to load tools for.
  * @param {string | undefined} [params.openAIApiKey] - The OpenAI API key.
- * @returns {Promise<{ tools?: StructuredTool[]; userMCPAuthMap?: Record<string, Record<string, string>> }>} The agent tools.
+ * @returns {Promise<{
+ *   tools?: StructuredTool[];
+ *   toolContextMap?: Record<string, unknown>;
+ *   userMCPAuthMap?: Record<string, Record<string, string>>;
+ *   toolRegistry?: Map<string, import('~/utils/toolClassification').LCTool>;
+ *   hasDeferredTools?: boolean;
+ * }>} The agent tools and registry.
  */
 async function loadAgentTools({
   req,
@@ -401,8 +409,14 @@ async function loadAgentTools({
   const checkCapability = (capability) => {
     const enabled = enabledCapabilities.has(capability);
     if (!enabled) {
+      const isToolCapability = [
+        AgentCapabilities.file_search,
+        AgentCapabilities.execute_code,
+        AgentCapabilities.web_search,
+      ].includes(capability);
+      const suffix = isToolCapability ? ' despite configured tool.' : '.';
       logger.warn(
-        `Capability "${capability}" disabled${capability === AgentCapabilities.tools ? '.' : ' despite configured tool.'} User: ${req.user.id} | Agent: ${agent.id}`,
+        `Capability "${capability}" disabled${suffix} User: ${req.user.id} | Agent: ${agent.id}`,
       );
     }
     return enabled;
@@ -510,11 +524,25 @@ async function loadAgentTools({
     return map;
   }, {});
 
+  /** Build tool registry from MCP tools and create PTC/tool search tools if configured */
+  const deferredToolsEnabled = checkCapability(AgentCapabilities.deferred_tools);
+  const { toolRegistry, additionalTools, hasDeferredTools } = await buildToolClassification({
+    loadedTools,
+    userId: req.user.id,
+    agentId: agent.id,
+    agentToolOptions: agent.tool_options,
+    deferredToolsEnabled,
+    loadAuthValues,
+  });
+  agentTools.push(...additionalTools);
+
   if (!checkCapability(AgentCapabilities.actions)) {
     return {
       tools: agentTools,
       userMCPAuthMap,
       toolContextMap,
+      toolRegistry,
+      hasDeferredTools,
     };
   }
 
@@ -527,6 +555,8 @@ async function loadAgentTools({
       tools: agentTools,
       userMCPAuthMap,
       toolContextMap,
+      toolRegistry,
+      hasDeferredTools,
     };
   }
 
@@ -654,6 +684,8 @@ async function loadAgentTools({
     tools: agentTools,
     toolContextMap,
     userMCPAuthMap,
+    toolRegistry,
+    hasDeferredTools,
   };
 }
 
diff --git a/api/server/services/__tests__/AuthService.openid-lax-cookie.spec.js b/api/server/services/__tests__/AuthService.openid-lax-cookie.spec.js
new file mode 100644
index 000000000000..4a1dd96283cd
--- /dev/null
+++ b/api/server/services/__tests__/AuthService.openid-lax-cookie.spec.js
@@ -0,0 +1,389 @@
+jest.mock('@librechat/data-schemas', () => ({
+  logger: {
+    error: jest.fn(),
+    debug: jest.fn(),
+    info: jest.fn(),
+    warn: jest.fn(),
+  },
+  hashToken: jest.fn((token) => `hashed-${token}`),
+  createMethods: jest.fn(() => ({})),
+  DEFAULT_REFRESH_TOKEN_EXPIRY: 1000 * 60 * 60 * 24 * 7, // 7 days in milliseconds
+  DEFAULT_SESSION_EXPIRY: 1000 * 60 * 15, // 15 minutes in milliseconds
+}));
+
+jest.mock('librechat-data-provider', () => ({
+  ...jest.requireActual('librechat-data-provider'),
+}));
+
+jest.mock('@librechat/api', () => ({
+  ...jest.requireActual('@librechat/api'),
+  checkEmailConfig: jest.fn(() => false),
+  isEmailDomainAllowed: jest.fn(() => true),
+  extractSubFromAccessToken: jest.fn((token) => {
+    if (!token) {
+      return { sub: null, error: 'No access token provided' };
+    }
+    if (token === 'test-access-token') {
+      return { sub: 'cognito-sub-12345' };
+    }
+    if (token === 'token-without-sub') {
+      return { sub: null, error: 'No sub claim in access token' };
+    }
+    if (token === 'invalid-token') {
+      return { sub: null, error: 'Failed to decode access token' };
+    }
+    return { sub: 'default-sub-claim' };
+  }),
+}));
+
+jest.mock('jsonwebtoken', () => ({
+  sign: jest.fn((payload, _secret, _options) => {
+    if (payload.id) {
+      return `mocked-jwt-token-${payload.id}`;
+    }
+    if (payload.sub) {
+      return `mocked-jwt-token-${payload.sub}`;
+    }
+    return 'mocked-jwt-token';
+  }),
+  verify: jest.fn(),
+  decode: jest.fn((token) => {
+    if (token === 'test-access-token') {
+      return { sub: 'cognito-sub-12345', aud: 'test-client-id' };
+    }
+    return null;
+  }),
+}));
+
+jest.mock('bcryptjs', () => ({
+  genSaltSync: jest.fn(() => 'mock-salt'),
+  hashSync: jest.fn((password) => `hashed-${password}`),
+  compareSync: jest.fn(() => true),
+}));
+
+jest.mock('~/models', () => ({
+  findUser: jest.fn(),
+  findToken: jest.fn(),
+  createUser: jest.fn(),
+  updateUser: jest.fn(),
+  countUsers: jest.fn(),
+  getUserById: jest.fn(),
+  findSession: jest.fn(),
+  createToken: jest.fn(),
+  deleteTokens: jest.fn(),
+  deleteSession: jest.fn(),
+  createSession: jest.fn(),
+  generateToken: jest.fn(),
+  deleteUserById: jest.fn(),
+  generateRefreshToken: jest.fn(),
+}));
+
+jest.mock('~/strategies/validators', () => ({
+  registerSchema: {
+    safeParse: jest.fn(() => ({ error: null })),
+  },
+}));
+
+jest.mock('~/server/services/Config', () => ({
+  getAppConfig: jest.fn(() => Promise.resolve({})),
+}));
+
+jest.mock('~/server/utils', () => ({
+  sendEmail: jest.fn(() => Promise.resolve()),
+}));
+
+const { setOpenIDAuthTokens } = require('../AuthService');
+
+describe('setOpenIDAuthTokens - OPENID_EXPOSE_SUB_COOKIE feature', () => {
+  let mockReq;
+  let mockRes;
+  let mockTokenset;
+  const testUserId = 'test-user-id-12345';
+
+  beforeEach(() => {
+    // mockReq without session to test cookie fallback path
+    mockReq = {};
+
+    mockRes = {
+      cookie: jest.fn(),
+    };
+
+    mockTokenset = {
+      access_token: 'test-access-token',
+      refresh_token: 'test-refresh-token',
+      id_token: 'test-id-token',
+    };
+
+    // Reset NODE_ENV to production for secure cookies
+    const originalEnv = process.env.NODE_ENV;
+    process.env.NODE_ENV = 'production';
+    // Store original value to restore later
+    process.env._ORIGINAL_NODE_ENV = originalEnv;
+    process.env.JWT_REFRESH_SECRET = 'test-secret';
+    jest.clearAllMocks();
+  });
+
+  afterEach(() => {
+    // Restore original NODE_ENV value
+    if (process.env._ORIGINAL_NODE_ENV) {
+      process.env.NODE_ENV = process.env._ORIGINAL_NODE_ENV;
+      delete process.env._ORIGINAL_NODE_ENV;
+    } else {
+      delete process.env.NODE_ENV;
+    }
+    delete process.env.JWT_REFRESH_SECRET;
+    delete process.env.OPENID_REUSE_TOKENS;
+    delete process.env.REFRESH_TOKEN_EXPIRY;
+    delete process.env.OPENID_EXPOSE_SUB_COOKIE;
+  });
+
+  describe('cookie count verification', () => {
+    it('should set 3 cookies when OPENID_REUSE_TOKENS is false and OPENID_EXPOSE_SUB_COOKIE is false', () => {
+      process.env.OPENID_REUSE_TOKENS = 'false';
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'false';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      expect(mockRes.cookie).toHaveBeenCalledTimes(3);
+      const cookieNames = mockRes.cookie.mock.calls.map((call) => call[0]);
+      expect(cookieNames).toEqual(['refreshToken', 'openid_access_token', 'token_provider']);
+    });
+
+    it('should set 4 cookies when OPENID_REUSE_TOKENS is true and OPENID_EXPOSE_SUB_COOKIE is false', () => {
+      process.env.OPENID_REUSE_TOKENS = 'true';
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'false';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      expect(mockRes.cookie).toHaveBeenCalledTimes(4);
+      const cookieNames = mockRes.cookie.mock.calls.map((call) => call[0]);
+      expect(cookieNames).toEqual([
+        'refreshToken',
+        'openid_access_token',
+        'token_provider',
+        'openid_user_id',
+      ]);
+    });
+
+    it('should set 5 cookies when both OPENID_REUSE_TOKENS and OPENID_EXPOSE_SUB_COOKIE are true', () => {
+      process.env.OPENID_REUSE_TOKENS = 'true';
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      expect(mockRes.cookie).toHaveBeenCalledTimes(5);
+      const cookieNames = mockRes.cookie.mock.calls.map((call) => call[0]);
+      expect(cookieNames).toEqual([
+        'refreshToken',
+        'openid_access_token',
+        'token_provider',
+        'openid_user_id',
+        'openid_sub',
+      ]);
+    });
+
+    it('should set 4 cookies when OPENID_EXPOSE_SUB_COOKIE is true but OPENID_REUSE_TOKENS is false', () => {
+      process.env.OPENID_REUSE_TOKENS = 'false';
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      expect(mockRes.cookie).toHaveBeenCalledTimes(4);
+      const cookieNames = mockRes.cookie.mock.calls.map((call) => call[0]);
+      expect(cookieNames).toEqual([
+        'refreshToken',
+        'openid_access_token',
+        'token_provider',
+        'openid_sub',
+      ]);
+    });
+  });
+
+  describe('other cookies remain strict', () => {
+    it('should keep all other cookies with strict sameSite when OPENID_EXPOSE_SUB_COOKIE is true', () => {
+      process.env.OPENID_REUSE_TOKENS = 'true';
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const refreshTokenCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'refreshToken');
+      const accessTokenCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_access_token',
+      );
+      const providerCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'token_provider');
+      const userIdCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_user_id');
+
+      // All other cookies should remain strict
+      expect(refreshTokenCall[2].sameSite).toBe('strict');
+      expect(accessTokenCall[2].sameSite).toBe('strict');
+      expect(providerCall[2].sameSite).toBe('strict');
+      expect(userIdCall[2].sameSite).toBe('strict');
+    });
+  });
+
+  describe('openid_sub cookie for Cognito sub claim', () => {
+    it('should create JWT-signed openid_sub cookie when OPENID_EXPOSE_SUB_COOKIE is true', () => {
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+      expect(openidSubCall).toBeDefined();
+      expect(openidSubCall[1]).toBe('mocked-jwt-token-cognito-sub-12345'); // JWT-signed
+      expect(openidSubCall[2]).toMatchObject({
+        httpOnly: true,
+        sameSite: 'lax',
+      });
+    });
+
+    it('should not create openid_sub cookie when OPENID_EXPOSE_SUB_COOKIE is false', () => {
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'false';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+      expect(openidSubCall).toBeUndefined();
+    });
+
+    it('should sign the Cognito sub claim with JWT_REFRESH_SECRET', () => {
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+      const jwt = require('jsonwebtoken');
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      expect(jwt.sign).toHaveBeenCalledWith(
+        { sub: 'cognito-sub-12345' },
+        'test-secret',
+        expect.objectContaining({
+          expiresIn: expect.any(Number),
+        }),
+      );
+    });
+
+    it('should set correct expiration on openid_sub cookie', () => {
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+      const expiryInMs = 1000 * 60 * 60 * 24 * 7; // 7 days
+      const beforeTime = Date.now() + expiryInMs;
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const afterTime = Date.now() + expiryInMs;
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+
+      expect(openidSubCall[2].expires).toBeInstanceOf(Date);
+      expect(openidSubCall[2].expires.getTime()).toBeGreaterThanOrEqual(beforeTime);
+      expect(openidSubCall[2].expires.getTime()).toBeLessThanOrEqual(afterTime);
+    });
+  });
+
+  describe('AWS Bedrock AgentCore 3LO use case', () => {
+    it('should support 3LO callback flow with JWT-signed lax openid_sub cookie', () => {
+      // Simulate AWS Bedrock AgentCore setup
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+
+      // Verify cookie allows cross-site GET requests (OAuth callbacks)
+      expect(openidSubCall[2].sameSite).toBe('lax');
+
+      // Verify cookie maintains security
+      expect(openidSubCall[2].httpOnly).toBe(true);
+      expect(openidSubCall[2]).toHaveProperty('secure');
+
+      // Verify it's JWT-signed for verification in callback service
+      expect(openidSubCall[1]).toMatch(/^mocked-jwt-token-/);
+    });
+  });
+
+  describe('backwards compatibility', () => {
+    it('should not create openid_sub cookie when feature flag is not set', () => {
+      process.env.OPENID_REUSE_TOKENS = 'true';
+      // OPENID_EXPOSE_SUB_COOKIE not set
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+      expect(openidSubCall).toBeUndefined();
+    });
+
+    it('should not break existing functionality when feature flag is enabled but OPENID_REUSE_TOKENS is false', () => {
+      process.env.OPENID_REUSE_TOKENS = 'false';
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      // Should set 4 cookies: 3 standard + openid_sub
+      expect(mockRes.cookie).toHaveBeenCalledTimes(4);
+      const cookieNames = mockRes.cookie.mock.calls.map((call) => call[0]);
+      expect(cookieNames).toEqual([
+        'refreshToken',
+        'openid_access_token',
+        'token_provider',
+        'openid_sub',
+      ]);
+    });
+  });
+
+  describe('error handling and edge cases', () => {
+    it('should handle missing JWT_REFRESH_SECRET gracefully', () => {
+      const { logger } = require('@librechat/data-schemas');
+      delete process.env.JWT_REFRESH_SECRET;
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+      expect(openidSubCall).toBeUndefined();
+      expect(logger.error).toHaveBeenCalledWith(
+        expect.stringContaining('JWT_REFRESH_SECRET not configured'),
+      );
+    });
+
+    it('should not create openid_sub cookie when access token has no sub claim', () => {
+      const { extractSubFromAccessToken } = require('@librechat/api');
+      extractSubFromAccessToken.mockReturnValueOnce({
+        sub: null,
+        error: 'No sub claim in access token',
+      });
+
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+      mockTokenset.access_token = 'token-without-sub';
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+      expect(openidSubCall).toBeUndefined();
+    });
+
+    it('should not create openid_sub cookie when extractSubFromAccessToken returns null', () => {
+      const { extractSubFromAccessToken } = require('@librechat/api');
+      extractSubFromAccessToken.mockReturnValueOnce({
+        sub: null,
+        error: 'Invalid JWT format',
+      });
+
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+      mockTokenset.access_token = 'invalid-token';
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+      expect(openidSubCall).toBeUndefined();
+    });
+
+    it('should handle decode errors gracefully', () => {
+      const { extractSubFromAccessToken } = require('@librechat/api');
+      extractSubFromAccessToken.mockReturnValueOnce({
+        sub: null,
+        error: 'Failed to decode access token',
+      });
+
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+      mockTokenset.access_token = 'invalid-token';
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+      expect(openidSubCall).toBeUndefined();
+    });
+  });
+});
diff --git a/api/server/services/__tests__/AuthService.userid-cookie.spec.js b/api/server/services/__tests__/AuthService.userid-cookie.spec.js
new file mode 100644
index 000000000000..7b8fb7f16f42
--- /dev/null
+++ b/api/server/services/__tests__/AuthService.userid-cookie.spec.js
@@ -0,0 +1,510 @@
+jest.mock('@librechat/data-schemas', () => ({
+  logger: {
+    error: jest.fn(),
+    debug: jest.fn(),
+    info: jest.fn(),
+    warn: jest.fn(),
+  },
+  hashToken: jest.fn((token) => `hashed-${token}`),
+  createMethods: jest.fn(() => ({})),
+  DEFAULT_REFRESH_TOKEN_EXPIRY: 1000 * 60 * 60 * 24 * 7, // 7 days in milliseconds
+  DEFAULT_SESSION_EXPIRY: 1000 * 60 * 15, // 15 minutes in milliseconds
+}));
+
+jest.mock('librechat-data-provider', () => ({
+  ...jest.requireActual('librechat-data-provider'),
+}));
+
+jest.mock('@librechat/api', () => ({
+  ...jest.requireActual('@librechat/api'),
+  checkEmailConfig: jest.fn(() => false),
+  isEmailDomainAllowed: jest.fn(() => true),
+  extractSubFromAccessToken: jest.fn((token) => {
+    if (!token) {
+      return { sub: null, error: 'No access token provided' };
+    }
+    if (token === 'test-access-token') {
+      return { sub: 'openid-provider-sub-67890' };
+    }
+    if (token === 'token-without-sub') {
+      return { sub: null, error: 'No sub claim in access token' };
+    }
+    if (token === 'invalid-token') {
+      return { sub: null, error: 'Failed to decode access token' };
+    }
+    return { sub: 'openid-provider-sub-67890' };
+  }),
+}));
+
+jest.mock('jsonwebtoken', () => ({
+  sign: jest.fn((payload, secret, options) => {
+    if (payload.id) {
+      return `mocked-jwt-token-${payload.id}`;
+    }
+    if (payload.sub) {
+      return `mocked-jwt-token-${payload.sub}`;
+    }
+    return 'mocked-jwt-token';
+  }),
+  verify: jest.fn(),
+}));
+
+jest.mock('jsonwebtoken/decode', () =>
+  jest.fn((token) => ({
+    sub: 'openid-provider-sub-67890',
+    email: 'test@example.com',
+    name: 'Test User',
+  })),
+);
+
+jest.mock('bcryptjs', () => ({
+  genSaltSync: jest.fn(() => 'mock-salt'),
+  hashSync: jest.fn((password) => `hashed-${password}`),
+  compareSync: jest.fn(() => true),
+}));
+
+jest.mock('~/models', () => ({
+  findUser: jest.fn(),
+  findToken: jest.fn(),
+  createUser: jest.fn(),
+  updateUser: jest.fn(),
+  countUsers: jest.fn(),
+  getUserById: jest.fn(),
+  findSession: jest.fn(),
+  createToken: jest.fn(),
+  deleteTokens: jest.fn(),
+  deleteSession: jest.fn(),
+  createSession: jest.fn(),
+  generateToken: jest.fn(),
+  deleteUserById: jest.fn(),
+  generateRefreshToken: jest.fn(),
+}));
+
+jest.mock('~/strategies/validators', () => ({
+  registerSchema: {
+    safeParse: jest.fn(() => ({ error: null })),
+  },
+}));
+
+jest.mock('~/server/services/Config', () => ({
+  getAppConfig: jest.fn(() => Promise.resolve({})),
+}));
+
+jest.mock('~/server/utils', () => ({
+  sendEmail: jest.fn(() => Promise.resolve()),
+}));
+
+const { setOpenIDAuthTokens } = require('../AuthService');
+const { logger } = require('@librechat/data-schemas');
+
+describe('setOpenIDAuthTokens - openid_sub cookie functionality', () => {
+  let mockReq;
+  let mockRes;
+  let mockTokenset;
+  const testUserId = 'test-user-id-12345';
+  const testOpenIdSub = 'openid-provider-sub-67890';
+
+  beforeEach(() => {
+    // Mock request object without session to trigger cookie fallback
+    mockReq = {
+      session: null,
+    };
+
+    mockRes = {
+      cookie: jest.fn(),
+    };
+
+    // Mock jwt.decode to return decoded token with sub claim
+    const jwtDecode = require('jsonwebtoken/decode');
+    jwtDecode.mockReturnValue({
+      sub: testOpenIdSub,
+      email: 'test@example.com',
+      name: 'Test User',
+    });
+
+    mockTokenset = {
+      access_token: 'test-access-token',
+      refresh_token: 'test-refresh-token',
+      id_token: 'test-id-token',
+    };
+
+    // Reset NODE_ENV to production for secure cookies
+    const originalEnv = process.env.NODE_ENV;
+    process.env.NODE_ENV = 'production';
+    // Store original value to restore later
+    process.env._ORIGINAL_NODE_ENV = originalEnv;
+    process.env.JWT_REFRESH_SECRET = 'test-secret';
+    // Enable feature flag by default
+    process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+    jest.clearAllMocks();
+  });
+
+  afterEach(() => {
+    delete process.env.NODE_ENV;
+    delete process.env.JWT_REFRESH_SECRET;
+    delete process.env.OPENID_REUSE_TOKENS;
+    delete process.env.REFRESH_TOKEN_EXPIRY;
+    delete process.env.OPENID_EXPOSE_SUB_COOKIE;
+  });
+
+  describe('openid_sub cookie setting', () => {
+    it('should set openid_sub cookie with lax sameSite when access token contains sub', () => {
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeDefined();
+      expect(openidSubCookieCall[1]).toBe(`mocked-jwt-token-${testOpenIdSub}`);
+      expect(openidSubCookieCall[2]).toMatchObject({
+        httpOnly: true,
+        sameSite: 'lax',
+      });
+      // Verify secure flag exists (value depends on NODE_ENV)
+      expect(openidSubCookieCall[2]).toHaveProperty('secure');
+      expect(typeof openidSubCookieCall[2].secure).toBe('boolean');
+    });
+
+    it('should not set openid_sub cookie when access token has no sub claim', () => {
+      const { extractSubFromAccessToken } = require('@librechat/api');
+      extractSubFromAccessToken.mockReturnValueOnce({ sub: null, error: 'No sub claim' });
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeUndefined();
+    });
+
+    it('should not set openid_sub cookie when jwt decode returns null', () => {
+      const { extractSubFromAccessToken } = require('@librechat/api');
+      extractSubFromAccessToken.mockReturnValueOnce({ sub: null, error: 'Decode error' });
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeUndefined();
+    });
+
+    it('should set openid_sub cookie with secure=false in non-production environment', () => {
+      process.env.NODE_ENV = 'development';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeDefined();
+      expect(openidSubCookieCall[2]).toMatchObject({
+        httpOnly: true,
+        secure: false,
+        sameSite: 'lax',
+      });
+    });
+
+    it('should set openid_sub cookie with correct expiration date', () => {
+      const expiryInMs = 1000 * 60 * 60 * 24 * 7; // 7 days
+      const beforeTime = Date.now() + expiryInMs;
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const afterTime = Date.now() + expiryInMs;
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+
+      expect(openidSubCookieCall[2].expires).toBeInstanceOf(Date);
+      expect(openidSubCookieCall[2].expires.getTime()).toBeGreaterThanOrEqual(beforeTime);
+      expect(openidSubCookieCall[2].expires.getTime()).toBeLessThanOrEqual(afterTime);
+    });
+
+    it('should use custom REFRESH_TOKEN_EXPIRY for openid_sub cookie expiration', () => {
+      process.env.REFRESH_TOKEN_EXPIRY = '1000 * 60 * 60 * 24 * 14'; // 14 days
+      const expiryInMs = 1000 * 60 * 60 * 24 * 14;
+      const beforeTime = Date.now() + expiryInMs;
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const afterTime = Date.now() + expiryInMs;
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+
+      expect(openidSubCookieCall[2].expires.getTime()).toBeGreaterThanOrEqual(beforeTime);
+      expect(openidSubCookieCall[2].expires.getTime()).toBeLessThanOrEqual(afterTime);
+    });
+  });
+
+  describe('openid_sub cookie with other cookies', () => {
+    it('should set all cookies including openid_sub', () => {
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      expect(mockRes.cookie).toHaveBeenCalledTimes(4);
+      expect(mockRes.cookie).toHaveBeenCalledWith(
+        'refreshToken',
+        expect.any(String),
+        expect.any(Object),
+      );
+      expect(mockRes.cookie).toHaveBeenCalledWith(
+        'openid_access_token',
+        expect.any(String),
+        expect.any(Object),
+      );
+      expect(mockRes.cookie).toHaveBeenCalledWith('token_provider', 'openid', expect.any(Object));
+      expect(mockRes.cookie).toHaveBeenCalledWith(
+        'openid_sub',
+        `mocked-jwt-token-${testOpenIdSub}`,
+        expect.any(Object),
+      );
+    });
+
+    it('should set openid_user_id and openid_sub when OPENID_REUSE_TOKENS is enabled', () => {
+      process.env.OPENID_REUSE_TOKENS = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      expect(mockRes.cookie).toHaveBeenCalledTimes(5);
+      expect(mockRes.cookie).toHaveBeenCalledWith(
+        'openid_user_id',
+        expect.any(String),
+        expect.any(Object),
+      );
+      expect(mockRes.cookie).toHaveBeenCalledWith(
+        'openid_sub',
+        `mocked-jwt-token-${testOpenIdSub}`,
+        expect.any(Object),
+      );
+
+      const openidUserIdCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_user_id',
+      );
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+
+      // openid_user_id uses strict sameSite
+      expect(openidUserIdCall[2].sameSite).toBe('strict');
+      // openid_sub uses lax sameSite
+      expect(openidSubCall[2].sameSite).toBe('lax');
+    });
+
+    it('should set 3 cookies when access token has no sub claim', () => {
+      const { extractSubFromAccessToken } = require('@librechat/api');
+      extractSubFromAccessToken.mockReturnValueOnce({ sub: null, error: 'No sub claim' });
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      expect(mockRes.cookie).toHaveBeenCalledTimes(3);
+      const cookieNames = mockRes.cookie.mock.calls.map((call) => call[0]);
+      expect(cookieNames).toEqual(['refreshToken', 'openid_access_token', 'token_provider']);
+    });
+  });
+
+  describe('openid_sub cookie security', () => {
+    it('should set httpOnly flag on openid_sub cookie', () => {
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall[2].httpOnly).toBe(true);
+    });
+
+    it('should set sameSite to lax (not strict) on openid_sub cookie', () => {
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall[2].sameSite).toBe('lax');
+      expect(openidSubCookieCall[2].sameSite).not.toBe('strict');
+    });
+
+    it('should verify other cookies still use strict sameSite', () => {
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const refreshTokenCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'refreshToken');
+      const accessTokenCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_access_token',
+      );
+      const providerCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'token_provider');
+
+      expect(refreshTokenCall[2].sameSite).toBe('strict');
+      expect(accessTokenCall[2].sameSite).toBe('strict');
+      expect(providerCall[2].sameSite).toBe('strict');
+    });
+  });
+
+  describe('error handling', () => {
+    it('should not throw error when userId is provided but tokenset is invalid', () => {
+      expect(() => {
+        setOpenIDAuthTokens(null, mockReq, mockRes, testUserId);
+      }).not.toThrow();
+
+      expect(logger.error).toHaveBeenCalledWith(
+        '[setOpenIDAuthTokens] No tokenset found in request',
+      );
+    });
+
+    it('should not set openid_sub cookie when tokenset is missing access_token', () => {
+      const invalidTokenset = {
+        refresh_token: 'test-refresh-token',
+      };
+
+      setOpenIDAuthTokens(invalidTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeUndefined();
+    });
+
+    it('should not set openid_sub cookie when refresh_token is missing', () => {
+      const invalidTokenset = {
+        access_token: 'test-access-token',
+      };
+
+      setOpenIDAuthTokens(invalidTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeUndefined();
+    });
+
+    it('should handle error during cookie setting gracefully', () => {
+      mockRes.cookie = jest.fn(() => {
+        throw new Error('Cookie setting failed');
+      });
+
+      expect(() => {
+        setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+      }).toThrow('Cookie setting failed');
+
+      expect(logger.error).toHaveBeenCalledWith(
+        '[setOpenIDAuthTokens] Error in setting authentication tokens:',
+        expect.any(Error),
+      );
+    });
+
+    it('should handle jwt decode throwing an error', () => {
+      const { extractSubFromAccessToken } = require('@librechat/api');
+      extractSubFromAccessToken.mockReturnValueOnce({ sub: null, error: 'Invalid JWT' });
+
+      // Should not throw, just skip setting openid_sub cookie
+      expect(() => {
+        setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+      }).not.toThrow();
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeUndefined();
+    });
+  });
+
+  describe('integration with existing refresh token', () => {
+    it('should set openid_sub cookie when using existingRefreshToken', () => {
+      const tokensetWithoutRefresh = {
+        access_token: 'test-access-token',
+      };
+      const existingRefreshToken = 'existing-refresh-token';
+
+      setOpenIDAuthTokens(
+        tokensetWithoutRefresh,
+        mockReq,
+        mockRes,
+        testUserId,
+        existingRefreshToken,
+      );
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeDefined();
+      expect(openidSubCookieCall[1]).toBe(`mocked-jwt-token-${testOpenIdSub}`);
+    });
+
+    it('should prefer tokenset refresh_token over existingRefreshToken', () => {
+      const existingRefreshToken = 'existing-refresh-token';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId, existingRefreshToken);
+
+      const refreshTokenCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'refreshToken');
+      expect(refreshTokenCall[1]).toBe(mockTokenset.refresh_token);
+      expect(refreshTokenCall[1]).not.toBe(existingRefreshToken);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeDefined();
+    });
+  });
+
+  describe('feature flag behavior', () => {
+    it('should not set openid_sub cookie when OPENID_EXPOSE_SUB_COOKIE is false', () => {
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'false';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeUndefined();
+
+      // Other cookies should still be set
+      expect(mockRes.cookie).toHaveBeenCalledTimes(3);
+      const cookieNames = mockRes.cookie.mock.calls.map((call) => call[0]);
+      expect(cookieNames).toEqual(['refreshToken', 'openid_access_token', 'token_provider']);
+    });
+
+    it('should not set openid_sub cookie when OPENID_EXPOSE_SUB_COOKIE is not set', () => {
+      delete process.env.OPENID_EXPOSE_SUB_COOKIE;
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeUndefined();
+
+      // Other cookies should still be set
+      expect(mockRes.cookie).toHaveBeenCalledTimes(3);
+    });
+
+    it('should set openid_sub cookie when OPENID_EXPOSE_SUB_COOKIE is true', () => {
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      const openidSubCookieCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_sub',
+      );
+      expect(openidSubCookieCall).toBeDefined();
+      expect(openidSubCookieCall[1]).toBe(`mocked-jwt-token-${testOpenIdSub}`);
+    });
+
+    it('should set openid_sub cookie with OPENID_REUSE_TOKENS and OPENID_EXPOSE_SUB_COOKIE both enabled', () => {
+      process.env.OPENID_REUSE_TOKENS = 'true';
+      process.env.OPENID_EXPOSE_SUB_COOKIE = 'true';
+
+      setOpenIDAuthTokens(mockTokenset, mockReq, mockRes, testUserId);
+
+      expect(mockRes.cookie).toHaveBeenCalledTimes(5);
+
+      const openidUserIdCall = mockRes.cookie.mock.calls.find(
+        (call) => call[0] === 'openid_user_id',
+      );
+      const openidSubCall = mockRes.cookie.mock.calls.find((call) => call[0] === 'openid_sub');
+
+      expect(openidUserIdCall).toBeDefined();
+      expect(openidSubCall).toBeDefined();
+
+      // openid_user_id uses strict sameSite
+      expect(openidUserIdCall[2].sameSite).toBe('strict');
+      // openid_sub uses lax sameSite
+      expect(openidSubCall[2].sameSite).toBe('lax');
+    });
+  });
+});
diff --git a/api/server/services/__tests__/ToolService.spec.js b/api/server/services/__tests__/ToolService.spec.js
new file mode 100644
index 000000000000..2f00bbc3d6ac
--- /dev/null
+++ b/api/server/services/__tests__/ToolService.spec.js
@@ -0,0 +1,149 @@
+const { AgentCapabilities, defaultAgentCapabilities } = require('librechat-data-provider');
+
+/**
+ * Tests for ToolService capability checking logic.
+ * The actual loadAgentTools function has many dependencies, so we test
+ * the capability checking logic in isolation.
+ */
+describe('ToolService - Capability Checking', () => {
+  describe('checkCapability logic', () => {
+    /**
+     * Simulates the checkCapability function from loadAgentTools
+     */
+    const createCheckCapability = (enabledCapabilities, logger = { warn: jest.fn() }) => {
+      return (capability) => {
+        const enabled = enabledCapabilities.has(capability);
+        if (!enabled) {
+          const isToolCapability = [
+            AgentCapabilities.file_search,
+            AgentCapabilities.execute_code,
+            AgentCapabilities.web_search,
+          ].includes(capability);
+          const suffix = isToolCapability ? ' despite configured tool.' : '.';
+          logger.warn(`Capability "${capability}" disabled${suffix}`);
+        }
+        return enabled;
+      };
+    };
+
+    it('should return true when capability is enabled', () => {
+      const enabledCapabilities = new Set([AgentCapabilities.deferred_tools]);
+      const checkCapability = createCheckCapability(enabledCapabilities);
+
+      expect(checkCapability(AgentCapabilities.deferred_tools)).toBe(true);
+    });
+
+    it('should return false when capability is not enabled', () => {
+      const enabledCapabilities = new Set([]);
+      const checkCapability = createCheckCapability(enabledCapabilities);
+
+      expect(checkCapability(AgentCapabilities.deferred_tools)).toBe(false);
+    });
+
+    it('should log warning with "despite configured tool" for tool capabilities', () => {
+      const logger = { warn: jest.fn() };
+      const enabledCapabilities = new Set([]);
+      const checkCapability = createCheckCapability(enabledCapabilities, logger);
+
+      checkCapability(AgentCapabilities.file_search);
+      expect(logger.warn).toHaveBeenCalledWith(expect.stringContaining('despite configured tool'));
+
+      logger.warn.mockClear();
+      checkCapability(AgentCapabilities.execute_code);
+      expect(logger.warn).toHaveBeenCalledWith(expect.stringContaining('despite configured tool'));
+
+      logger.warn.mockClear();
+      checkCapability(AgentCapabilities.web_search);
+      expect(logger.warn).toHaveBeenCalledWith(expect.stringContaining('despite configured tool'));
+    });
+
+    it('should log warning without "despite configured tool" for non-tool capabilities', () => {
+      const logger = { warn: jest.fn() };
+      const enabledCapabilities = new Set([]);
+      const checkCapability = createCheckCapability(enabledCapabilities, logger);
+
+      checkCapability(AgentCapabilities.deferred_tools);
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Capability "deferred_tools" disabled.'),
+      );
+      expect(logger.warn).not.toHaveBeenCalledWith(
+        expect.stringContaining('despite configured tool'),
+      );
+
+      logger.warn.mockClear();
+      checkCapability(AgentCapabilities.tools);
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Capability "tools" disabled.'),
+      );
+      expect(logger.warn).not.toHaveBeenCalledWith(
+        expect.stringContaining('despite configured tool'),
+      );
+
+      logger.warn.mockClear();
+      checkCapability(AgentCapabilities.actions);
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Capability "actions" disabled.'),
+      );
+    });
+
+    it('should not log warning when capability is enabled', () => {
+      const logger = { warn: jest.fn() };
+      const enabledCapabilities = new Set([
+        AgentCapabilities.deferred_tools,
+        AgentCapabilities.file_search,
+      ]);
+      const checkCapability = createCheckCapability(enabledCapabilities, logger);
+
+      checkCapability(AgentCapabilities.deferred_tools);
+      checkCapability(AgentCapabilities.file_search);
+
+      expect(logger.warn).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('defaultAgentCapabilities', () => {
+    it('should include deferred_tools capability by default', () => {
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.deferred_tools);
+    });
+
+    it('should include all expected default capabilities', () => {
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.execute_code);
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.file_search);
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.web_search);
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.artifacts);
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.actions);
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.context);
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.tools);
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.chain);
+      expect(defaultAgentCapabilities).toContain(AgentCapabilities.ocr);
+    });
+  });
+
+  describe('deferredToolsEnabled integration', () => {
+    it('should correctly determine deferredToolsEnabled from capabilities set', () => {
+      const createCheckCapability = (enabledCapabilities) => {
+        return (capability) => enabledCapabilities.has(capability);
+      };
+
+      // When deferred_tools is in capabilities
+      const withDeferred = new Set([AgentCapabilities.deferred_tools, AgentCapabilities.tools]);
+      const checkWithDeferred = createCheckCapability(withDeferred);
+      expect(checkWithDeferred(AgentCapabilities.deferred_tools)).toBe(true);
+
+      // When deferred_tools is NOT in capabilities
+      const withoutDeferred = new Set([AgentCapabilities.tools, AgentCapabilities.actions]);
+      const checkWithoutDeferred = createCheckCapability(withoutDeferred);
+      expect(checkWithoutDeferred(AgentCapabilities.deferred_tools)).toBe(false);
+    });
+
+    it('should use defaultAgentCapabilities when no capabilities configured', () => {
+      // Simulates the fallback behavior in loadAgentTools
+      const endpointsConfig = {}; // No capabilities configured
+      const enabledCapabilities = new Set(
+        endpointsConfig?.capabilities ?? defaultAgentCapabilities,
+      );
+
+      expect(enabledCapabilities.has(AgentCapabilities.deferred_tools)).toBe(true);
+    });
+  });
+});
diff --git a/api/strategies/index.js b/api/strategies/index.js
index 725e04224a03..b4f7bd3cac34 100644
--- a/api/strategies/index.js
+++ b/api/strategies/index.js
@@ -1,14 +1,14 @@
-const appleLogin = require('./appleStrategy');
+const { setupOpenId, getOpenIdConfig } = require('./openidStrategy');
+const openIdJwtLogin = require('./openIdJwtStrategy');
+const facebookLogin = require('./facebookStrategy');
+const discordLogin = require('./discordStrategy');
 const passportLogin = require('./localStrategy');
 const googleLogin = require('./googleStrategy');
 const githubLogin = require('./githubStrategy');
-const discordLogin = require('./discordStrategy');
-const facebookLogin = require('./facebookStrategy');
-const { setupOpenId, getOpenIdConfig } = require('./openidStrategy');
-const jwtLogin = require('./jwtStrategy');
-const ldapLogin = require('./ldapStrategy');
 const { setupSaml } = require('./samlStrategy');
-const openIdJwtLogin = require('./openIdJwtStrategy');
+const appleLogin = require('./appleStrategy');
+const ldapLogin = require('./ldapStrategy');
+const jwtLogin = require('./jwtStrategy');
 
 module.exports = {
   appleLogin,
diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js
index a4369e601b42..84458ce99256 100644
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@@ -6,8 +6,8 @@ const client = require('openid-client');
 const jwtDecode = require('jsonwebtoken/decode');
 const { HttpsProxyAgent } = require('https-proxy-agent');
 const { hashToken, logger } = require('@librechat/data-schemas');
-const { CacheKeys, ErrorTypes } = require('librechat-data-provider');
 const { Strategy: OpenIDStrategy } = require('openid-client/passport');
+const { CacheKeys, ErrorTypes, SystemRoles } = require('librechat-data-provider');
 const {
   isEnabled,
   logHeaders,
@@ -287,6 +287,274 @@ function convertToUsername(input, defaultValue = '') {
   return defaultValue;
 }
 
+/**
+ * Process OpenID authentication tokenset and userinfo
+ * This is the core logic extracted from the passport strategy callback
+ * Can be reused by both the passport strategy and proxy authentication
+ *
+ * @param {Object} tokenset - The OpenID tokenset containing access_token, id_token, etc.
+ * @param {boolean} existingUsersOnly - If true, only existing users will be processed
+ * @returns {Promise<Object>} The authenticated user object with tokenset
+ */
+async function processOpenIDAuth(tokenset, existingUsersOnly = false) {
+  const claims = tokenset.claims ? tokenset.claims() : tokenset;
+  const userinfo = {
+    ...claims,
+  };
+
+  if (tokenset.access_token) {
+    const providerUserinfo = await getUserInfo(openidConfig, tokenset.access_token, claims.sub);
+    Object.assign(userinfo, providerUserinfo);
+  }
+
+  const appConfig = await getAppConfig();
+  /** Azure AD sometimes doesn't return email, use preferred_username as fallback */
+  const email = userinfo.email || userinfo.preferred_username || userinfo.upn;
+  if (!isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains)) {
+    logger.error(
+      `[OpenID Strategy] Authentication blocked - email domain not allowed [Email: ${userinfo.email}]`,
+    );
+    throw new Error('Email domain not allowed');
+  }
+
+  const result = await findOpenIDUser({
+    findUser,
+    email: email,
+    openidId: claims.sub || userinfo.sub,
+    idOnTheSource: claims.oid || userinfo.oid,
+    strategyName: 'openidStrategy',
+  });
+  let user = result.user;
+  const error = result.error;
+
+  if (error) {
+    throw new Error(ErrorTypes.AUTH_FAILED);
+  }
+
+  const fullName = getFullName(userinfo);
+
+  const requiredRole = process.env.OPENID_REQUIRED_ROLE;
+  if (requiredRole) {
+    const requiredRoles = requiredRole
+      .split(',')
+      .map((role) => role.trim())
+      .filter(Boolean);
+    const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
+    const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND;
+
+    let decodedToken = '';
+    if (requiredRoleTokenKind === 'access' && tokenset.access_token) {
+      decodedToken = jwtDecode(tokenset.access_token);
+    } else if (requiredRoleTokenKind === 'id' && tokenset.id_token) {
+      decodedToken = jwtDecode(tokenset.id_token);
+    }
+
+    let roles = get(decodedToken, requiredRoleParameterPath);
+    if (!roles || (!Array.isArray(roles) && typeof roles !== 'string')) {
+      logger.error(
+        `[openidStrategy] Key '${requiredRoleParameterPath}' not found in ${requiredRoleTokenKind} token!`,
+      );
+      const rolesList =
+        requiredRoles.length === 1
+          ? `"${requiredRoles[0]}"`
+          : `one of: ${requiredRoles.map((r) => `"${r}"`).join(', ')}`;
+      throw new Error(`You must have ${rolesList} role to log in.`);
+    }
+
+    if (!requiredRoles.some((role) => roles.includes(role))) {
+      const rolesList =
+        requiredRoles.length === 1
+          ? `"${requiredRoles[0]}"`
+          : `one of: ${requiredRoles.map((r) => `"${r}"`).join(', ')}`;
+      throw new Error(`You must have ${rolesList} role to log in.`);
+    }
+  }
+
+  let username = '';
+  if (process.env.OPENID_USERNAME_CLAIM) {
+    username = userinfo[process.env.OPENID_USERNAME_CLAIM];
+  } else {
+    username = convertToUsername(
+      userinfo.preferred_username || userinfo.username || userinfo.email,
+    );
+  }
+
+  if (existingUsersOnly && !user) {
+    throw new Error('User does not exist');
+  }
+
+  if (!user) {
+    user = {
+      provider: 'openid',
+      openidId: userinfo.sub,
+      username,
+      email: email || '',
+      emailVerified: userinfo.email_verified || false,
+      name: fullName,
+      idOnTheSource: userinfo.oid,
+    };
+
+    const balanceConfig = getBalanceConfig(appConfig);
+    user = await createUser(user, balanceConfig, true, true);
+  } else {
+    user.provider = 'openid';
+    user.openidId = userinfo.sub;
+    user.username = username;
+    user.name = fullName;
+    user.idOnTheSource = userinfo.oid;
+    if (email && email !== user.email) {
+      user.email = email;
+      user.emailVerified = userinfo.email_verified || false;
+    }
+  }
+
+  const adminRole = process.env.OPENID_ADMIN_ROLE;
+  const adminRoleParameterPath = process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH;
+  const adminRoleTokenKind = process.env.OPENID_ADMIN_ROLE_TOKEN_KIND;
+
+  if (adminRole && adminRoleParameterPath && adminRoleTokenKind) {
+    let adminRoleObject;
+    switch (adminRoleTokenKind) {
+      case 'access':
+        adminRoleObject = jwtDecode(tokenset.access_token);
+        break;
+      case 'id':
+        adminRoleObject = jwtDecode(tokenset.id_token);
+        break;
+      case 'userinfo':
+        adminRoleObject = userinfo;
+        break;
+      default:
+        logger.error(
+          `[openidStrategy] Invalid admin role token kind: ${adminRoleTokenKind}. Must be one of 'access', 'id', or 'userinfo'.`,
+        );
+        throw new Error('Invalid admin role token kind');
+    }
+
+    const adminRoles = get(adminRoleObject, adminRoleParameterPath);
+
+    if (
+      adminRoles &&
+      (adminRoles === true ||
+        adminRoles === adminRole ||
+        (Array.isArray(adminRoles) && adminRoles.includes(adminRole)))
+    ) {
+      user.role = SystemRoles.ADMIN;
+      logger.info(`[openidStrategy] User ${username} is an admin based on role: ${adminRole}`);
+    } else if (user.role === SystemRoles.ADMIN) {
+      user.role = SystemRoles.USER;
+      logger.info(
+        `[openidStrategy] User ${username} demoted from admin - role no longer present in token`,
+      );
+    }
+  }
+
+  if (!!userinfo && userinfo.picture && !user.avatar?.includes('manual=true')) {
+    /** @type {string | undefined} */
+    const imageUrl = userinfo.picture;
+
+    let fileName;
+    if (crypto) {
+      fileName = (await hashToken(userinfo.sub)) + '.png';
+    } else {
+      fileName = userinfo.sub + '.png';
+    }
+
+    const imageBuffer = await downloadImage(
+      imageUrl,
+      openidConfig,
+      tokenset.access_token,
+      userinfo.sub,
+    );
+    if (imageBuffer) {
+      const { saveBuffer } = getStrategyFunctions(
+        appConfig?.fileStrategy ?? process.env.CDN_PROVIDER,
+      );
+      const imagePath = await saveBuffer({
+        fileName,
+        userId: user._id.toString(),
+        buffer: imageBuffer,
+      });
+      user.avatar = imagePath ?? '';
+    }
+  }
+
+  user = await updateUser(user._id, user);
+
+  logger.info(
+    `[openidStrategy] login success openidId: ${user.openidId} | email: ${user.email} | username: ${user.username} `,
+    {
+      user: {
+        openidId: user.openidId,
+        username: user.username,
+        email: user.email,
+        name: user.name,
+      },
+    },
+  );
+
+  return {
+    ...user,
+    tokenset,
+    federatedTokens: {
+      access_token: tokenset.access_token,
+      refresh_token: tokenset.refresh_token,
+      expires_at: tokenset.expires_at,
+    },
+  };
+}
+
+/**
+ * @param {boolean | undefined} [existingUsersOnly]
+ */
+function createOpenIDCallback(existingUsersOnly) {
+  return async (tokenset, done) => {
+    try {
+      const user = await processOpenIDAuth(tokenset, existingUsersOnly);
+      done(null, user);
+    } catch (err) {
+      if (err.message === 'Email domain not allowed') {
+        return done(null, false, { message: err.message });
+      }
+      if (err.message === ErrorTypes.AUTH_FAILED) {
+        return done(null, false, { message: err.message });
+      }
+      if (err.message && err.message.includes('role to log in')) {
+        return done(null, false, { message: err.message });
+      }
+      logger.error('[openidStrategy] login failed', err);
+      done(err);
+    }
+  };
+}
+
+/**
+ * Sets up the OpenID strategy specifically for admin authentication.
+ * @param {Configuration} openidConfig
+ */
+const setupOpenIdAdmin = (openidConfig) => {
+  try {
+    if (!openidConfig) {
+      throw new Error('OpenID configuration not initialized');
+    }
+
+    const openidAdminLogin = new CustomOpenIDStrategy(
+      {
+        config: openidConfig,
+        scope: process.env.OPENID_SCOPE,
+        usePKCE: isEnabled(process.env.OPENID_USE_PKCE),
+        clockTolerance: process.env.OPENID_CLOCK_TOLERANCE || 300,
+        callbackURL: process.env.DOMAIN_SERVER + '/api/admin/oauth/openid/callback',
+      },
+      createOpenIDCallback(true),
+    );
+
+    passport.use('openidAdmin', openidAdminLogin);
+  } catch (err) {
+    logger.error('[openidStrategy] setupOpenIdAdmin', err);
+  }
+};
+
 /**
  * Sets up the OpenID strategy for authentication.
  * This function configures the OpenID client, handles proxy settings,
@@ -324,10 +592,6 @@ async function setupOpenId() {
       },
     );
 
-    const requiredRole = process.env.OPENID_REQUIRED_ROLE;
-    const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
-    const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND;
-    const usePKCE = isEnabled(process.env.OPENID_USE_PKCE);
     logger.info(`[openidStrategy] OpenID authentication configuration`, {
       generateNonce: shouldGenerateNonce,
       reason: shouldGenerateNonce
@@ -335,241 +599,25 @@ async function setupOpenId() {
         : 'OPENID_GENERATE_NONCE=false - Standard flow without explicit nonce or metadata',
     });
 
-    // Set of env variables that specify how to set if a user is an admin
-    // If not set, all users will be treated as regular users
-    const adminRole = process.env.OPENID_ADMIN_ROLE;
-    const adminRoleParameterPath = process.env.OPENID_ADMIN_ROLE_PARAMETER_PATH;
-    const adminRoleTokenKind = process.env.OPENID_ADMIN_ROLE_TOKEN_KIND;
-
     const openidLogin = new CustomOpenIDStrategy(
       {
         config: openidConfig,
         scope: process.env.OPENID_SCOPE,
         callbackURL: process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL,
         clockTolerance: process.env.OPENID_CLOCK_TOLERANCE || 300,
-        usePKCE,
-      },
-      /**
-       * @param {import('openid-client').TokenEndpointResponseHelpers} tokenset
-       * @param {import('passport-jwt').VerifyCallback} done
-       */
-      async (tokenset, done) => {
-        try {
-          const claims = tokenset.claims();
-          const userinfo = {
-            ...claims,
-            ...(await getUserInfo(openidConfig, tokenset.access_token, claims.sub)),
-          };
-
-          const appConfig = await getAppConfig();
-          /** Azure AD sometimes doesn't return email, use preferred_username as fallback */
-          const email = userinfo.email || userinfo.preferred_username || userinfo.upn;
-          if (!isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains)) {
-            logger.error(
-              `[OpenID Strategy] Authentication blocked - email domain not allowed [Email: ${email}]`,
-            );
-            return done(null, false, { message: 'Email domain not allowed' });
-          }
-
-          const result = await findOpenIDUser({
-            findUser,
-            email: email,
-            openidId: claims.sub,
-            idOnTheSource: claims.oid,
-            strategyName: 'openidStrategy',
-          });
-          let user = result.user;
-          const error = result.error;
-
-          if (error) {
-            return done(null, false, {
-              message: ErrorTypes.AUTH_FAILED,
-            });
-          }
-
-          const fullName = getFullName(userinfo);
-
-          if (requiredRole) {
-            const requiredRoles = requiredRole
-              .split(',')
-              .map((role) => role.trim())
-              .filter(Boolean);
-            let decodedToken = '';
-            if (requiredRoleTokenKind === 'access') {
-              decodedToken = jwtDecode(tokenset.access_token);
-            } else if (requiredRoleTokenKind === 'id') {
-              decodedToken = jwtDecode(tokenset.id_token);
-            }
-
-            let roles = get(decodedToken, requiredRoleParameterPath);
-            if (!roles || (!Array.isArray(roles) && typeof roles !== 'string')) {
-              logger.error(
-                `[openidStrategy] Key '${requiredRoleParameterPath}' not found or invalid type in ${requiredRoleTokenKind} token!`,
-              );
-              const rolesList =
-                requiredRoles.length === 1
-                  ? `"${requiredRoles[0]}"`
-                  : `one of: ${requiredRoles.map((r) => `"${r}"`).join(', ')}`;
-              return done(null, false, {
-                message: `You must have ${rolesList} role to log in.`,
-              });
-            }
-
-            if (!requiredRoles.some((role) => roles.includes(role))) {
-              const rolesList =
-                requiredRoles.length === 1
-                  ? `"${requiredRoles[0]}"`
-                  : `one of: ${requiredRoles.map((r) => `"${r}"`).join(', ')}`;
-              return done(null, false, {
-                message: `You must have ${rolesList} role to log in.`,
-              });
-            }
-          }
-
-          let username = '';
-          if (process.env.OPENID_USERNAME_CLAIM) {
-            username = userinfo[process.env.OPENID_USERNAME_CLAIM];
-          } else {
-            username = convertToUsername(
-              userinfo.preferred_username || userinfo.username || userinfo.email,
-            );
-          }
-
-          if (!user) {
-            user = {
-              provider: 'openid',
-              openidId: userinfo.sub,
-              username,
-              email: email || '',
-              emailVerified: userinfo.email_verified || false,
-              name: fullName,
-              idOnTheSource: userinfo.oid,
-            };
-
-            const balanceConfig = getBalanceConfig(appConfig);
-            user = await createUser(user, balanceConfig, true, true);
-          } else {
-            user.provider = 'openid';
-            user.openidId = userinfo.sub;
-            user.username = username;
-            user.name = fullName;
-            user.idOnTheSource = userinfo.oid;
-            if (email && email !== user.email) {
-              user.email = email;
-              user.emailVerified = userinfo.email_verified || false;
-            }
-          }
-
-          if (adminRole && adminRoleParameterPath && adminRoleTokenKind) {
-            let adminRoleObject;
-            switch (adminRoleTokenKind) {
-              case 'access':
-                adminRoleObject = jwtDecode(tokenset.access_token);
-                break;
-              case 'id':
-                adminRoleObject = jwtDecode(tokenset.id_token);
-                break;
-              case 'userinfo':
-                adminRoleObject = userinfo;
-                break;
-              default:
-                logger.error(
-                  `[openidStrategy] Invalid admin role token kind: ${adminRoleTokenKind}. Must be one of 'access', 'id', or 'userinfo'.`,
-                );
-                return done(new Error('Invalid admin role token kind'));
-            }
-
-            const adminRoles = get(adminRoleObject, adminRoleParameterPath);
-
-            // Accept 3 types of values for the object extracted from adminRoleParameterPath:
-            // 1. A boolean value indicating if the user is an admin
-            // 2. A string with a single role name
-            // 3. An array of role names
-
-            if (
-              adminRoles &&
-              (adminRoles === true ||
-                adminRoles === adminRole ||
-                (Array.isArray(adminRoles) && adminRoles.includes(adminRole)))
-            ) {
-              user.role = 'ADMIN';
-              logger.info(
-                `[openidStrategy] User ${username} is an admin based on role: ${adminRole}`,
-              );
-            } else if (user.role === 'ADMIN') {
-              user.role = 'USER';
-              logger.info(
-                `[openidStrategy] User ${username} demoted from admin - role no longer present in token`,
-              );
-            }
-          }
-
-          if (!!userinfo && userinfo.picture && !user.avatar?.includes('manual=true')) {
-            /** @type {string | undefined} */
-            const imageUrl = userinfo.picture;
-
-            let fileName;
-            if (crypto) {
-              fileName = (await hashToken(userinfo.sub)) + '.png';
-            } else {
-              fileName = userinfo.sub + '.png';
-            }
-
-            const imageBuffer = await downloadImage(
-              imageUrl,
-              openidConfig,
-              tokenset.access_token,
-              userinfo.sub,
-            );
-            if (imageBuffer) {
-              const { saveBuffer } = getStrategyFunctions(
-                appConfig?.fileStrategy ?? process.env.CDN_PROVIDER,
-              );
-              const imagePath = await saveBuffer({
-                fileName,
-                userId: user._id.toString(),
-                buffer: imageBuffer,
-              });
-              user.avatar = imagePath ?? '';
-            }
-          }
-
-          user = await updateUser(user._id, user);
-
-          logger.info(
-            `[openidStrategy] login success openidId: ${user.openidId} | email: ${user.email} | username: ${user.username} `,
-            {
-              user: {
-                openidId: user.openidId,
-                username: user.username,
-                email: user.email,
-                name: user.name,
-              },
-            },
-          );
-
-          done(null, {
-            ...user,
-            tokenset,
-            federatedTokens: {
-              access_token: tokenset.access_token,
-              refresh_token: tokenset.refresh_token,
-              expires_at: tokenset.expires_at,
-            },
-          });
-        } catch (err) {
-          logger.error('[openidStrategy] login failed', err);
-          done(err);
-        }
+        usePKCE: isEnabled(process.env.OPENID_USE_PKCE),
       },
+      createOpenIDCallback(),
     );
     passport.use('openid', openidLogin);
+    setupOpenIdAdmin(openidConfig);
     return openidConfig;
   } catch (err) {
     logger.error('[openidStrategy]', err);
     return null;
   }
 }
+
 /**
  * @function getOpenIdConfig
  * @description Returns the OpenID client instance.
diff --git a/api/strategies/openidStrategy.spec.js b/api/strategies/openidStrategy.spec.js
index 9ac22ff42f23..ada27cca1727 100644
--- a/api/strategies/openidStrategy.spec.js
+++ b/api/strategies/openidStrategy.spec.js
@@ -64,21 +64,36 @@ jest.mock('openid-client', () => {
 });
 
 jest.mock('openid-client/passport', () => {
-  let verifyCallback;
+  /** Store callbacks by strategy name - 'openid' and 'openidAdmin' */
+  const verifyCallbacks = {};
+  let lastVerifyCallback;
+
   const mockStrategy = jest.fn((options, verify) => {
-    verifyCallback = verify;
+    lastVerifyCallback = verify;
     return { name: 'openid', options, verify };
   });
 
   return {
     Strategy: mockStrategy,
-    __getVerifyCallback: () => verifyCallback,
+    /** Get the last registered callback (for backward compatibility) */
+    __getVerifyCallback: () => lastVerifyCallback,
+    /** Store callback by name when passport.use is called */
+    __setVerifyCallback: (name, callback) => {
+      verifyCallbacks[name] = callback;
+    },
+    /** Get callback by strategy name */
+    __getVerifyCallbackByName: (name) => verifyCallbacks[name],
   };
 });
 
-// Mock passport
+// Mock passport - capture strategy name and callback
 jest.mock('passport', () => ({
-  use: jest.fn(),
+  use: jest.fn((name, strategy) => {
+    const passportMock = require('openid-client/passport');
+    if (strategy && strategy.verify) {
+      passportMock.__setVerifyCallback(name, strategy.verify);
+    }
+  }),
 }));
 
 describe('setupOpenId', () => {
@@ -159,9 +174,10 @@ describe('setupOpenId', () => {
     };
     fetch.mockResolvedValue(fakeResponse);
 
-    // Call the setup function and capture the verify callback
+    // Call the setup function and capture the verify callback for the regular 'openid' strategy
+    // (not 'openidAdmin' which requires existing users)
     await setupOpenId();
-    verifyCallback = require('openid-client/passport').__getVerifyCallback();
+    verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
   });
 
   it('should create a new user with correct username when preferred_username claim exists', async () => {
@@ -389,7 +405,7 @@ describe('setupOpenId', () => {
     // Arrange
     process.env.OPENID_REQUIRED_ROLE = 'someRole,anotherRole,admin';
     await setupOpenId(); // Re-initialize the strategy
-    verifyCallback = require('openid-client/passport').__getVerifyCallback();
+    verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
     jwtDecode.mockReturnValue({
       roles: ['anotherRole', 'aThirdRole'],
     });
@@ -406,7 +422,7 @@ describe('setupOpenId', () => {
     // Arrange
     process.env.OPENID_REQUIRED_ROLE = 'someRole,anotherRole,admin';
     await setupOpenId(); // Re-initialize the strategy
-    verifyCallback = require('openid-client/passport').__getVerifyCallback();
+    verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
     jwtDecode.mockReturnValue({
       roles: ['aThirdRole', 'aFourthRole'],
     });
@@ -425,7 +441,7 @@ describe('setupOpenId', () => {
     // Arrange
     process.env.OPENID_REQUIRED_ROLE = ' someRole , anotherRole , admin ';
     await setupOpenId(); // Re-initialize the strategy
-    verifyCallback = require('openid-client/passport').__getVerifyCallback();
+    verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
     jwtDecode.mockReturnValue({
       roles: ['someRole'],
     });
@@ -560,7 +576,7 @@ describe('setupOpenId', () => {
     delete process.env.OPENID_ADMIN_ROLE_TOKEN_KIND;
 
     await setupOpenId();
-    verifyCallback = require('openid-client/passport').__getVerifyCallback();
+    verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
     // Simulate an existing admin user
     const existingAdminUser = {
@@ -611,7 +627,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
@@ -634,7 +650,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
@@ -655,14 +671,12 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user, details } = await validate(tokenset);
 
       expect(logger.error).toHaveBeenCalledWith(
-        expect.stringContaining(
-          "Key 'resource_access.nonexistent.roles' not found or invalid type in id token!",
-        ),
+        expect.stringContaining("Key 'resource_access.nonexistent.roles' not found in id token!"),
       );
       expect(user).toBe(false);
       expect(details.message).toContain('role to log in');
@@ -680,12 +694,12 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
       expect(logger.error).toHaveBeenCalledWith(
-        expect.stringContaining("Key 'org.team.roles' not found or invalid type in id token!"),
+        expect.stringContaining("Key 'org.team.roles' not found in id token!"),
       );
       expect(user).toBe(false);
     });
@@ -709,7 +723,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
@@ -739,7 +753,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate({
         ...tokenset,
@@ -759,7 +773,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
@@ -776,7 +790,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
@@ -793,7 +807,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
@@ -810,7 +824,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
@@ -827,7 +841,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
@@ -847,7 +861,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
@@ -864,12 +878,12 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
       expect(logger.error).toHaveBeenCalledWith(
-        expect.stringContaining("Key 'access.roles' not found or invalid type in id token!"),
+        expect.stringContaining("Key 'access.roles' not found in id token!"),
       );
       expect(user).toBe(false);
     });
@@ -884,12 +898,12 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
       expect(logger.error).toHaveBeenCalledWith(
-        expect.stringContaining("Key 'data.roles' not found or invalid type in id token!"),
+        expect.stringContaining("Key 'data.roles' not found in id token!"),
       );
       expect(user).toBe(false);
     });
@@ -906,7 +920,7 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       await expect(validate(tokenset)).rejects.toThrow('Invalid admin role token kind');
 
@@ -927,12 +941,12 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user, details } = await validate(tokenset);
 
       expect(logger.error).toHaveBeenCalledWith(
-        expect.stringContaining("Key 'roles' not found or invalid type in id token!"),
+        expect.stringContaining("Key 'roles' not found in id token!"),
       );
       expect(user).toBe(false);
       expect(details.message).toContain('role to log in');
@@ -948,12 +962,12 @@ describe('setupOpenId', () => {
       });
 
       await setupOpenId();
-      verifyCallback = require('openid-client/passport').__getVerifyCallback();
+      verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid');
 
       const { user } = await validate(tokenset);
 
       expect(logger.error).toHaveBeenCalledWith(
-        expect.stringContaining("Key 'roleCount' not found or invalid type in id token!"),
+        expect.stringContaining("Key 'roleCount' not found in id token!"),
       );
       expect(user).toBe(false);
     });
diff --git a/client/src/common/agents-types.ts b/client/src/common/agents-types.ts
index 9ac6b440a397..c3832b7ff8da 100644
--- a/client/src/common/agents-types.ts
+++ b/client/src/common/agents-types.ts
@@ -1,6 +1,7 @@
 import { AgentCapabilities, ArtifactModes } from 'librechat-data-provider';
 import type {
   AgentModelParameters,
+  AgentToolOptions,
   SupportContact,
   AgentProvider,
   GraphEdge,
@@ -33,6 +34,8 @@ export type AgentForm = {
   model: string | null;
   model_parameters: AgentModelParameters;
   tools?: string[];
+  /** Per-tool configuration options (deferred loading, allowed callers, etc.) */
+  tool_options?: AgentToolOptions;
   provider?: AgentProvider | OptionWithIcon;
   /** @deprecated Use edges instead */
   agent_ids?: string[];
diff --git a/client/src/components/Chat/Messages/Content/Part.tsx b/client/src/components/Chat/Messages/Content/Part.tsx
index bfa2b28fac65..4a74e3606f77 100644
--- a/client/src/components/Chat/Messages/Content/Part.tsx
+++ b/client/src/components/Chat/Messages/Content/Part.tsx
@@ -91,7 +91,11 @@ const Part = memo(
 
       const isToolCall =
         'args' in toolCall && (!toolCall.type || toolCall.type === ToolCallTypes.TOOL_CALL);
-      if (isToolCall && toolCall.name === Tools.execute_code) {
+      if (
+        isToolCall &&
+        (toolCall.name === Tools.execute_code ||
+          toolCall.name === Constants.PROGRAMMATIC_TOOL_CALLING)
+      ) {
         return (
           <ExecuteCode
             attachments={attachments}
diff --git a/client/src/components/Chat/Messages/Content/Parts/Attachment.tsx b/client/src/components/Chat/Messages/Content/Parts/Attachment.tsx
index 1d14534e0db1..b5d1e07cbf8a 100644
--- a/client/src/components/Chat/Messages/Content/Parts/Attachment.tsx
+++ b/client/src/components/Chat/Messages/Content/Parts/Attachment.tsx
@@ -8,9 +8,13 @@ import { cn } from '~/utils';
 
 const FileAttachment = memo(({ attachment }: { attachment: Partial<TAttachment> }) => {
   const [isVisible, setIsVisible] = useState(false);
+  const file = attachment as TFile & TAttachmentMetadata;
   const { handleDownload } = useAttachmentLink({
     href: attachment.filepath ?? '',
     filename: attachment.filename ?? '',
+    file_id: file.file_id,
+    user: file.user,
+    source: file.source,
   });
   const extension = attachment.filename?.split('.').pop();
 
diff --git a/client/src/components/Chat/Messages/Content/Parts/ExecuteCode.tsx b/client/src/components/Chat/Messages/Content/Parts/ExecuteCode.tsx
index 729011bdbd5e..2f14ac0f13d9 100644
--- a/client/src/components/Chat/Messages/Content/Parts/ExecuteCode.tsx
+++ b/client/src/components/Chat/Messages/Content/Parts/ExecuteCode.tsx
@@ -67,7 +67,7 @@ export default function ExecuteCode({
   const [contentHeight, setContentHeight] = useState<number | undefined>(0);
 
   const prevShowCodeRef = useRef<boolean>(showCode);
-  const { lang, code } = useParseArgs(args) ?? ({} as ParsedArgs);
+  const { lang = 'py', code } = useParseArgs(args) ?? ({} as ParsedArgs);
   const progress = useProgress(initialProgress);
 
   useEffect(() => {
diff --git a/client/src/components/Chat/Messages/Content/Parts/LogContent.tsx b/client/src/components/Chat/Messages/Content/Parts/LogContent.tsx
index d2a303f49f33..da2a8f175eb9 100644
--- a/client/src/components/Chat/Messages/Content/Parts/LogContent.tsx
+++ b/client/src/components/Chat/Messages/Content/Parts/LogContent.tsx
@@ -65,6 +65,7 @@ const LogContent: React.FC<LogContentProps> = ({ output = '', renderImages, atta
       return `${filename} ${localize('com_download_expired')}`;
     }
 
+    const fileData = file as TFile & TAttachmentMetadata;
     const filepath = file.filepath || '';
 
     // const expirationText = expiresAt
@@ -72,7 +73,13 @@ const LogContent: React.FC<LogContentProps> = ({ output = '', renderImages, atta
     //   : ` ${localize('com_click_to_download')}`;
 
     return (
-      <LogLink href={filepath} filename={filename}>
+      <LogLink
+        href={filepath}
+        filename={filename}
+        file_id={fileData.file_id}
+        user={fileData.user}
+        source={fileData.source}
+      >
         {'- '}
         {filename} {localize('com_click_to_download')}
       </LogLink>
diff --git a/client/src/components/Chat/Messages/Content/Parts/LogLink.tsx b/client/src/components/Chat/Messages/Content/Parts/LogLink.tsx
index d328f202ee93..070becf51776 100644
--- a/client/src/components/Chat/Messages/Content/Parts/LogLink.tsx
+++ b/client/src/components/Chat/Messages/Content/Parts/LogLink.tsx
@@ -1,21 +1,56 @@
 import React from 'react';
+import { FileSources } from 'librechat-data-provider';
 import { useToastContext } from '@librechat/client';
-import { useCodeOutputDownload } from '~/data-provider';
+import { useCodeOutputDownload, useFileDownload } from '~/data-provider';
 
 interface LogLinkProps {
   href: string;
   filename: string;
+  file_id?: string;
+  user?: string;
+  source?: string;
   children: React.ReactNode;
 }
 
-export const useAttachmentLink = ({ href, filename }: Pick<LogLinkProps, 'href' | 'filename'>) => {
+interface AttachmentLinkOptions {
+  href: string;
+  filename: string;
+  file_id?: string;
+  user?: string;
+  source?: string;
+}
+
+/**
+ * Determines if a file is stored locally (not an external API URL).
+ * Files with these sources are stored on the LibreChat server and should
+ * use the /api/files/download endpoint instead of direct URL access.
+ */
+const isLocallyStoredSource = (source?: string): boolean => {
+  if (!source) {
+    return false;
+  }
+  return [FileSources.local, FileSources.firebase, FileSources.s3, FileSources.azure_blob].includes(
+    source as FileSources,
+  );
+};
+
+export const useAttachmentLink = ({
+  href,
+  filename,
+  file_id,
+  user,
+  source,
+}: AttachmentLinkOptions) => {
   const { showToast } = useToastContext();
-  const { refetch: downloadFile } = useCodeOutputDownload(href);
+
+  const useLocalDownload = isLocallyStoredSource(source) && !!file_id && !!user;
+  const { refetch: downloadFromApi } = useFileDownload(user, file_id);
+  const { refetch: downloadFromUrl } = useCodeOutputDownload(href);
 
   const handleDownload = async (event: React.MouseEvent<HTMLAnchorElement | HTMLButtonElement>) => {
     event.preventDefault();
     try {
-      const stream = await downloadFile();
+      const stream = useLocalDownload ? await downloadFromApi() : await downloadFromUrl();
       if (stream.data == null || stream.data === '') {
         console.error('Error downloading file: No data found');
         showToast({
@@ -39,8 +74,8 @@ export const useAttachmentLink = ({ href, filename }: Pick<LogLinkProps, 'href'
   return { handleDownload };
 };
 
-const LogLink: React.FC<LogLinkProps> = ({ href, filename, children }) => {
-  const { handleDownload } = useAttachmentLink({ href, filename });
+const LogLink: React.FC<LogLinkProps> = ({ href, filename, file_id, user, source, children }) => {
+  const { handleDownload } = useAttachmentLink({ href, filename, file_id, user, source });
   return (
     <a
       href={href}
diff --git a/client/src/components/Nav/SettingsTabs/Data/AgentApiKeys.tsx b/client/src/components/Nav/SettingsTabs/Data/AgentApiKeys.tsx
new file mode 100644
index 000000000000..f75b93526a9d
--- /dev/null
+++ b/client/src/components/Nav/SettingsTabs/Data/AgentApiKeys.tsx
@@ -0,0 +1,362 @@
+import React, { useState } from 'react';
+import {
+  useGetAgentApiKeysQuery,
+  useCreateAgentApiKeyMutation,
+  useDeleteAgentApiKeyMutation,
+} from 'librechat-data-provider/react-query';
+import { Permissions, PermissionTypes } from 'librechat-data-provider';
+import { Plus, Trash2, Copy, CopyCheck, Key, Eye, EyeOff, ShieldEllipsis } from 'lucide-react';
+import {
+  Button,
+  Input,
+  Label,
+  Spinner,
+  OGDialog,
+  OGDialogClose,
+  OGDialogTitle,
+  OGDialogHeader,
+  OGDialogContent,
+  OGDialogTrigger,
+  useToastContext,
+} from '@librechat/client';
+import type { PermissionConfig } from '~/components/ui';
+import { useUpdateRemoteAgentsPermissionsMutation } from '~/data-provider';
+import { useLocalize, useCopyToClipboard } from '~/hooks';
+import { AdminSettingsDialog } from '~/components/ui';
+
+function CreateKeyDialog({ onKeyCreated }: { onKeyCreated?: () => void }) {
+  const localize = useLocalize();
+  const { showToast } = useToastContext();
+  const [open, setOpen] = useState(false);
+  const [name, setName] = useState('');
+  const [newKey, setNewKey] = useState<string | null>(null);
+  const [showKey, setShowKey] = useState(false);
+  const [isCopying, setIsCopying] = useState(false);
+  const createMutation = useCreateAgentApiKeyMutation();
+  const copyKey = useCopyToClipboard({ text: newKey || '' });
+
+  const handleCreate = async () => {
+    if (!name.trim()) {
+      showToast({ message: localize('com_ui_api_key_name_required'), status: 'error' });
+      return;
+    }
+
+    try {
+      const result = await createMutation.mutateAsync({ name: name.trim() });
+      setNewKey(result.key);
+      showToast({ message: localize('com_ui_api_key_created'), status: 'success' });
+      onKeyCreated?.();
+    } catch {
+      showToast({ message: localize('com_ui_api_key_create_error'), status: 'error' });
+    }
+  };
+
+  const handleClose = () => {
+    setName('');
+    setNewKey(null);
+    setShowKey(false);
+    setOpen(false);
+  };
+
+  const handleCopy = () => {
+    if (isCopying) {
+      return;
+    }
+    copyKey(setIsCopying);
+    showToast({ message: localize('com_ui_api_key_copied'), status: 'success' });
+  };
+
+  return (
+    <OGDialog open={open} onOpenChange={setOpen}>
+      <OGDialogTrigger asChild>
+        <Button variant="outline" size="sm" className="gap-2">
+          <Plus className="h-4 w-4" />
+          {localize('com_ui_create_api_key')}
+        </Button>
+      </OGDialogTrigger>
+      <OGDialogContent className="max-w-md">
+        <OGDialogTitle>{localize('com_ui_create_api_key')}</OGDialogTitle>
+        <div className="space-y-4 py-4">
+          {!newKey ? (
+            <>
+              <div className="space-y-2">
+                <Label htmlFor="key-name">{localize('com_ui_api_key_name')}</Label>
+                <Input
+                  id="key-name"
+                  value={name}
+                  onChange={(e) => setName(e.target.value)}
+                  placeholder={localize('com_ui_api_key_name_placeholder')}
+                />
+              </div>
+              <div className="flex justify-end gap-2">
+                <OGDialogClose asChild>
+                  <Button variant="outline" onClick={handleClose}>
+                    {localize('com_ui_cancel')}
+                  </Button>
+                </OGDialogClose>
+                <Button onClick={handleCreate} disabled={createMutation.isLoading}>
+                  {createMutation.isLoading ? (
+                    <Spinner className="h-4 w-4" />
+                  ) : (
+                    localize('com_ui_create')
+                  )}
+                </Button>
+              </div>
+            </>
+          ) : (
+            <>
+              <div className="rounded-lg border border-yellow-500/50 bg-yellow-50 p-4 dark:bg-yellow-900/20">
+                <p className="text-sm text-yellow-800 dark:text-yellow-200">
+                  {localize('com_ui_api_key_warning')}
+                </p>
+              </div>
+              <div className="space-y-2">
+                <Label>{localize('com_ui_your_api_key')}</Label>
+                <div className="flex gap-2">
+                  <Input
+                    value={showKey ? newKey : '•'.repeat(newKey.length)}
+                    readOnly
+                    className="font-mono text-sm"
+                  />
+                  <Button
+                    variant="outline"
+                    size="icon"
+                    onClick={() => setShowKey(!showKey)}
+                    title={showKey ? localize('com_ui_hide') : localize('com_ui_show')}
+                  >
+                    {showKey ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
+                  </Button>
+                  <Button
+                    variant="outline"
+                    size="icon"
+                    onClick={handleCopy}
+                    disabled={isCopying}
+                    title={localize('com_ui_copy')}
+                  >
+                    {isCopying ? <CopyCheck className="h-4 w-4" /> : <Copy className="h-4 w-4" />}
+                  </Button>
+                </div>
+              </div>
+              <div className="flex justify-end">
+                <Button onClick={handleClose}>{localize('com_ui_done')}</Button>
+              </div>
+            </>
+          )}
+        </div>
+      </OGDialogContent>
+    </OGDialog>
+  );
+}
+
+function KeyItem({
+  id,
+  name,
+  keyPrefix,
+  createdAt,
+  lastUsedAt,
+}: {
+  id: string;
+  name: string;
+  keyPrefix: string;
+  createdAt: string;
+  lastUsedAt?: string;
+}) {
+  const localize = useLocalize();
+  const { showToast } = useToastContext();
+  const [confirmDelete, setConfirmDelete] = useState(false);
+  const deleteMutation = useDeleteAgentApiKeyMutation();
+
+  const handleDelete = async () => {
+    try {
+      await deleteMutation.mutateAsync(id);
+      showToast({ message: localize('com_ui_api_key_deleted'), status: 'success' });
+    } catch {
+      showToast({ message: localize('com_ui_api_key_delete_error'), status: 'error' });
+    }
+    setConfirmDelete(false);
+  };
+
+  const formatDate = (dateStr: string) => {
+    return new Date(dateStr).toLocaleDateString(undefined, {
+      year: 'numeric',
+      month: 'short',
+      day: 'numeric',
+    });
+  };
+
+  return (
+    <div className="flex items-center justify-between rounded-lg border border-border-light p-3">
+      <div className="flex items-center gap-3">
+        <Key className="h-5 w-5 text-text-secondary" />
+        <div>
+          <div className="font-medium">{name}</div>
+          <div className="text-sm text-text-secondary">
+            <span className="font-mono">{keyPrefix}...</span>
+            <span className="mx-2">•</span>
+            <span>
+              {localize('com_ui_created')} {formatDate(createdAt)}
+            </span>
+            {lastUsedAt && (
+              <>
+                <span className="mx-2">•</span>
+                <span>
+                  {localize('com_ui_last_used')} {formatDate(lastUsedAt)}
+                </span>
+              </>
+            )}
+          </div>
+        </div>
+      </div>
+      <div>
+        {confirmDelete ? (
+          <div className="flex gap-2">
+            <Button variant="outline" size="sm" onClick={() => setConfirmDelete(false)}>
+              {localize('com_ui_cancel')}
+            </Button>
+            <Button
+              variant="destructive"
+              size="sm"
+              onClick={handleDelete}
+              disabled={deleteMutation.isLoading}
+            >
+              {deleteMutation.isLoading ? (
+                <Spinner className="h-4 w-4" />
+              ) : (
+                localize('com_ui_delete')
+              )}
+            </Button>
+          </div>
+        ) : (
+          <Button
+            variant="ghost"
+            size="icon"
+            onClick={() => setConfirmDelete(true)}
+            title={localize('com_ui_delete')}
+          >
+            <Trash2 className="h-4 w-4 text-text-secondary hover:text-red-500" />
+          </Button>
+        )}
+      </div>
+    </div>
+  );
+}
+
+function ApiKeysContent({ isOpen }: { isOpen: boolean }) {
+  const localize = useLocalize();
+  const { data, isLoading, error } = useGetAgentApiKeysQuery({ enabled: isOpen });
+
+  if (error) {
+    return <div className="text-sm text-red-500">{localize('com_ui_api_keys_load_error')}</div>;
+  }
+
+  return (
+    <div className="space-y-4">
+      <div className="flex items-center justify-end gap-2">
+        <RemoteAgentsAdminSettings />
+        <CreateKeyDialog />
+      </div>
+
+      <div className="max-h-[400px] space-y-2 overflow-y-auto">
+        {isLoading && (
+          <div className="flex items-center justify-center py-8">
+            <Spinner className="h-6 w-6" />
+          </div>
+        )}
+        {!isLoading &&
+          data?.keys &&
+          data.keys.length > 0 &&
+          data.keys.map((key) => (
+            <KeyItem
+              key={key.id}
+              id={key.id}
+              name={key.name}
+              keyPrefix={key.keyPrefix}
+              createdAt={key.createdAt}
+              lastUsedAt={key.lastUsedAt}
+            />
+          ))}
+        {!isLoading && (!data?.keys || data.keys.length === 0) && (
+          <div className="rounded-lg border-2 border-dashed border-border-light p-8 text-center">
+            <Key className="mx-auto h-8 w-8 text-text-secondary" />
+            <p className="mt-2 text-sm text-text-secondary">{localize('com_ui_no_api_keys')}</p>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
+
+const remoteAgentsPermissions: PermissionConfig[] = [
+  { permission: Permissions.USE, labelKey: 'com_ui_remote_agents_allow_use' },
+  { permission: Permissions.CREATE, labelKey: 'com_ui_remote_agents_allow_create' },
+  { permission: Permissions.SHARE, labelKey: 'com_ui_remote_agents_allow_share' },
+  { permission: Permissions.SHARE_PUBLIC, labelKey: 'com_ui_remote_agents_allow_share_public' },
+];
+
+function RemoteAgentsAdminSettings() {
+  const localize = useLocalize();
+  const { showToast } = useToastContext();
+
+  const mutation = useUpdateRemoteAgentsPermissionsMutation({
+    onSuccess: () => {
+      showToast({ status: 'success', message: localize('com_ui_saved') });
+    },
+    onError: () => {
+      showToast({ status: 'error', message: localize('com_ui_error_save_admin_settings') });
+    },
+  });
+
+  const trigger = (
+    <Button
+      variant="ghost"
+      size="icon"
+      className="h-8 w-8"
+      aria-label={localize('com_ui_admin_settings')}
+    >
+      <ShieldEllipsis className="h-5 w-5" aria-hidden="true" />
+    </Button>
+  );
+
+  return (
+    <AdminSettingsDialog
+      permissionType={PermissionTypes.REMOTE_AGENTS}
+      sectionKey="com_ui_remote_agents"
+      permissions={remoteAgentsPermissions}
+      menuId="remote-agents-role-dropdown"
+      mutation={mutation}
+      trigger={trigger}
+    />
+  );
+}
+
+export function AgentApiKeys() {
+  const localize = useLocalize();
+  const [isOpen, setIsOpen] = useState(false);
+
+  return (
+    <div className="flex items-center justify-between">
+      <Label id="api-keys-label">{localize('com_ui_agent_api_keys')}</Label>
+
+      <OGDialog open={isOpen} onOpenChange={setIsOpen}>
+        <OGDialogTrigger asChild>
+          <Button aria-labelledby="api-keys-label" variant="outline">
+            {localize('com_ui_manage')}
+          </Button>
+        </OGDialogTrigger>
+
+        <OGDialogContent
+          title={localize('com_ui_agent_api_keys')}
+          className="w-11/12 max-w-2xl bg-background text-text-primary shadow-2xl"
+        >
+          <OGDialogHeader>
+            <OGDialogTitle>{localize('com_ui_agent_api_keys')}</OGDialogTitle>
+            <p className="text-sm text-text-secondary">
+              {localize('com_ui_agent_api_keys_description')}
+            </p>
+          </OGDialogHeader>
+          <ApiKeysContent isOpen={isOpen} />
+        </OGDialogContent>
+      </OGDialog>
+    </div>
+  );
+}
diff --git a/client/src/components/Nav/SettingsTabs/Data/Data.tsx b/client/src/components/Nav/SettingsTabs/Data/Data.tsx
index 0bba5a152e17..eb8cea98c294 100644
--- a/client/src/components/Nav/SettingsTabs/Data/Data.tsx
+++ b/client/src/components/Nav/SettingsTabs/Data/Data.tsx
@@ -1,15 +1,22 @@
 import React, { useState, useRef } from 'react';
 import { useOnClickOutside } from '@librechat/client';
+import { Permissions, PermissionTypes } from 'librechat-data-provider';
 import ImportConversations from './ImportConversations';
-import { RevokeKeys } from './RevokeKeys';
+import { AgentApiKeys } from './AgentApiKeys';
 import { DeleteCache } from './DeleteCache';
+import { RevokeKeys } from './RevokeKeys';
 import { ClearChats } from './ClearChats';
 import SharedLinks from './SharedLinks';
+import { useHasAccess } from '~/hooks';
 
 function Data() {
   const dataTabRef = useRef(null);
   const [confirmClearConvos, setConfirmClearConvos] = useState(false);
   useOnClickOutside(dataTabRef, () => confirmClearConvos && setConfirmClearConvos(false), []);
+  const hasAccessToApiKeys = useHasAccess({
+    permissionType: PermissionTypes.REMOTE_AGENTS,
+    permission: Permissions.USE,
+  });
 
   return (
     <div className="flex flex-col gap-3 p-1 text-sm text-text-primary">
@@ -19,6 +26,11 @@ function Data() {
       <div className="pb-3">
         <SharedLinks />
       </div>
+      {hasAccessToApiKeys && (
+        <div className="pb-3">
+          <AgentApiKeys />
+        </div>
+      )}
       <div className="pb-3">
         <RevokeKeys />
       </div>
diff --git a/client/src/components/SidePanel/Agents/AgentFooter.tsx b/client/src/components/SidePanel/Agents/AgentFooter.tsx
index 80a449bb2d77..b2fa99659626 100644
--- a/client/src/components/SidePanel/Agents/AgentFooter.tsx
+++ b/client/src/components/SidePanel/Agents/AgentFooter.tsx
@@ -1,3 +1,4 @@
+import { Globe } from 'lucide-react';
 import { Spinner } from '@librechat/client';
 import { useWatch, useFormContext } from 'react-hook-form';
 import {
@@ -44,13 +45,20 @@ export default function AgentFooter({
     permissionType: PermissionTypes.AGENTS,
     permission: Permissions.SHARE,
   });
+  const hasAccessToShareRemoteAgents = useHasAccess({
+    permissionType: PermissionTypes.REMOTE_AGENTS,
+    permission: Permissions.SHARE,
+  });
   const { hasPermission, isLoading: permissionsLoading } = useResourcePermissions(
     ResourceType.AGENT,
     agent?._id || '',
   );
+  const { hasPermission: hasRemoteAgentPermission, isLoading: remotePermissionsLoading } =
+    useResourcePermissions(ResourceType.REMOTE_AGENT, agent?._id || '');
 
   const canShareThisAgent = hasPermission(PermissionBits.SHARE);
   const canDeleteThisAgent = hasPermission(PermissionBits.DELETE);
+  const canShareRemoteAgent = hasRemoteAgentPermission(PermissionBits.SHARE);
   const isSaving = createMutation.isLoading || updateMutation.isLoading || isAvatarUploading;
   const renderSaveButton = () => {
     if (isSaving) {
@@ -91,6 +99,25 @@ export default function AgentFooter({
               resourceType={ResourceType.AGENT}
             />
           )}
+        {(agent?.author === user?.id || user?.role === SystemRoles.ADMIN || canShareRemoteAgent) &&
+          hasAccessToShareRemoteAgents &&
+          !remotePermissionsLoading &&
+          agent?._id && (
+            <GenericGrantAccessDialog
+              resourceDbId={agent?._id}
+              resourceId={agent_id}
+              resourceName={agent?.name ?? ''}
+              resourceType={ResourceType.REMOTE_AGENT}
+            >
+              <button
+                type="button"
+                className="btn btn-neutral border-token-border-light h-9 px-3"
+                title={localize('com_ui_remote_access')}
+              >
+                <Globe className="h-4 w-4" aria-hidden="true" />
+              </button>
+            </GenericGrantAccessDialog>
+          )}
         {agent && agent.author === user?.id && <DuplicateAgent agent_id={agent_id} />}
         {/* Submit Button */}
         <button
diff --git a/client/src/components/SidePanel/Agents/AgentPanel.tsx b/client/src/components/SidePanel/Agents/AgentPanel.tsx
index 86ec27dc5e1d..f74dcfddcccd 100644
--- a/client/src/components/SidePanel/Agents/AgentPanel.tsx
+++ b/client/src/components/SidePanel/Agents/AgentPanel.tsx
@@ -23,6 +23,7 @@ import {
 import { createProviderOption, getDefaultAgentFormValues } from '~/utils';
 import { useResourcePermissions } from '~/hooks/useResourcePermissions';
 import { useSelectAgent, useLocalize, useAuthContext } from '~/hooks';
+import type { TranslationKeys } from '~/hooks/useLocalize';
 import { useAgentPanelContext } from '~/Providers/AgentPanelContext';
 import AgentPanelSkeleton from './AgentPanelSkeleton';
 import AdvancedPanel from './Advanced/AdvancedPanel';
@@ -36,8 +37,8 @@ import ModelPanel from './ModelPanel';
 function getUpdateToastMessage(
   noVersionChange: boolean,
   avatarActionState: AgentForm['avatar_action'],
-  name: string | undefined,
-  localize: (key: string, vars?: Record<string, unknown> | Array<string | number>) => string,
+  name: string | null | undefined,
+  localize: (key: TranslationKeys, vars?: Record<string, unknown>) => string,
 ): string | null {
   // If only avatar upload is pending (separate endpoint), suppress the no-changes toast.
   if (noVersionChange && avatarActionState === 'upload') {
@@ -72,6 +73,7 @@ export function composeAgentUpdatePayload(data: AgentForm, agent_id?: string | n
     recursion_limit,
     category,
     support_contact,
+    tool_options,
     avatar_action: avatarActionState,
   } = data;
 
@@ -97,6 +99,7 @@ export function composeAgentUpdatePayload(data: AgentForm, agent_id?: string | n
       recursion_limit,
       category,
       support_contact,
+      tool_options,
       ...(shouldResetAvatar ? { avatar: null } : {}),
     },
     provider,
@@ -545,7 +548,7 @@ export default function AgentPanel() {
           <AgentFooter
             createMutation={create}
             updateMutation={update}
-            isAvatarUploading={isAvatarUploadInFlight || uploadAvatarMutation.isPending}
+            isAvatarUploading={isAvatarUploadInFlight || uploadAvatarMutation.isLoading}
             activePanel={activePanel}
             setActivePanel={setActivePanel}
             setCurrentAgentId={setCurrentAgentId}
diff --git a/client/src/components/SidePanel/Agents/AgentSelect.tsx b/client/src/components/SidePanel/Agents/AgentSelect.tsx
index 9a3ef387c9b9..a9e4ef70367e 100644
--- a/client/src/components/SidePanel/Agents/AgentSelect.tsx
+++ b/client/src/components/SidePanel/Agents/AgentSelect.tsx
@@ -111,6 +111,11 @@ export default function AgentSelect({
           return;
         }
 
+        if (name === 'tool_options' && typeof value === 'object' && value !== null) {
+          formValues[name] = value;
+          return;
+        }
+
         if (!keys.has(name)) {
           return;
         }
diff --git a/client/src/components/SidePanel/Agents/MCPTool.tsx b/client/src/components/SidePanel/Agents/MCPTool.tsx
index 25d7c4c42451..dc7362b9b642 100644
--- a/client/src/components/SidePanel/Agents/MCPTool.tsx
+++ b/client/src/components/SidePanel/Agents/MCPTool.tsx
@@ -1,7 +1,7 @@
-import React, { useState } from 'react';
-import { ChevronDown } from 'lucide-react';
-import { useFormContext } from 'react-hook-form';
+import React, { useState, useCallback } from 'react';
+import { ChevronDown, Clock } from 'lucide-react';
 import { Constants } from 'librechat-data-provider';
+import { useFormContext, useWatch } from 'react-hook-form';
 import * as AccordionPrimitive from '@radix-ui/react-accordion';
 import {
   Label,
@@ -10,14 +10,22 @@ import {
   OGDialog,
   Accordion,
   TrashIcon,
+  TooltipAnchor,
   InfoHoverCard,
   AccordionItem,
   OGDialogTrigger,
   AccordionContent,
   OGDialogTemplate,
 } from '@librechat/client';
+import type { AgentToolOptions } from 'librechat-data-provider';
 import type { AgentForm, MCPServerInfo } from '~/common';
-import { useLocalize, useMCPServerManager, useRemoveMCPTool } from '~/hooks';
+import {
+  useAgentCapabilities,
+  useMCPServerManager,
+  useGetAgentsConfig,
+  useRemoveMCPTool,
+  useLocalize,
+} from '~/hooks';
 import MCPServerStatusIcon from '~/components/MCP/MCPServerStatusIcon';
 import MCPConfigDialog from '~/components/MCP/MCPConfigDialog';
 import { cn } from '~/utils';
@@ -25,13 +33,84 @@ import { cn } from '~/utils';
 export default function MCPTool({ serverInfo }: { serverInfo?: MCPServerInfo }) {
   const localize = useLocalize();
   const { removeTool } = useRemoveMCPTool();
-  const { getValues, setValue } = useFormContext<AgentForm>();
+  const { getValues, setValue, control } = useFormContext<AgentForm>();
   const { getServerStatusIconProps, getConfigDialogProps } = useMCPServerManager();
+  const { agentsConfig } = useGetAgentsConfig();
+  const { deferredToolsEnabled } = useAgentCapabilities(agentsConfig?.capabilities);
 
   const [isFocused, setIsFocused] = useState(false);
   const [isHovering, setIsHovering] = useState(false);
   const [accordionValue, setAccordionValue] = useState<string>('');
 
+  const formToolOptions = useWatch({ control, name: 'tool_options' });
+
+  /** Check if a specific tool has defer_loading enabled */
+  const isToolDeferred = useCallback(
+    (toolId: string): boolean => formToolOptions?.[toolId]?.defer_loading === true,
+    [formToolOptions],
+  );
+
+  /** Toggle defer_loading for a specific tool */
+  const toggleToolDefer = useCallback(
+    (toolId: string) => {
+      const currentOptions = getValues('tool_options') || {};
+      const currentToolOptions = currentOptions[toolId] || {};
+      const newDeferred = !currentToolOptions.defer_loading;
+
+      const updatedOptions: AgentToolOptions = { ...currentOptions };
+
+      if (newDeferred) {
+        updatedOptions[toolId] = {
+          ...currentToolOptions,
+          defer_loading: true,
+        };
+      } else {
+        const { defer_loading: _, ...restOptions } = currentToolOptions;
+        if (Object.keys(restOptions).length === 0) {
+          delete updatedOptions[toolId];
+        } else {
+          updatedOptions[toolId] = restOptions;
+        }
+      }
+
+      setValue('tool_options', updatedOptions, { shouldDirty: true });
+    },
+    [getValues, setValue],
+  );
+
+  /** Check if all server tools are deferred */
+  const areAllToolsDeferred =
+    serverInfo?.tools &&
+    serverInfo.tools.length > 0 &&
+    serverInfo.tools.every((tool) => formToolOptions?.[tool.tool_id]?.defer_loading === true);
+
+  /** Toggle defer_loading for all tools from this server */
+  const toggleDeferAll = useCallback(() => {
+    if (!serverInfo?.tools) return;
+
+    const shouldDefer = !areAllToolsDeferred;
+    const currentOptions = getValues('tool_options') || {};
+    const updatedOptions: AgentToolOptions = { ...currentOptions };
+
+    for (const tool of serverInfo.tools) {
+      if (shouldDefer) {
+        updatedOptions[tool.tool_id] = {
+          ...(updatedOptions[tool.tool_id] || {}),
+          defer_loading: true,
+        };
+      } else {
+        if (updatedOptions[tool.tool_id]) {
+          delete updatedOptions[tool.tool_id].defer_loading;
+          if (Object.keys(updatedOptions[tool.tool_id]).length === 0) {
+            delete updatedOptions[tool.tool_id];
+          }
+        }
+      }
+    }
+
+    setValue('tool_options', updatedOptions, { shouldDirty: true });
+  }, [serverInfo?.tools, getValues, setValue, areAllToolsDeferred]);
+
   if (!serverInfo) {
     return null;
   }
@@ -170,6 +249,49 @@ export default function MCPTool({ serverInfo }: { serverInfo?: MCPServerInfo })
                           />
                         </div>
 
+                        {/* Defer All toggle - icon only with tooltip */}
+                        {deferredToolsEnabled && (
+                          <TooltipAnchor
+                            description={
+                              areAllToolsDeferred
+                                ? localize('com_ui_mcp_undefer_all')
+                                : localize('com_ui_mcp_defer_all')
+                            }
+                            side="top"
+                            role="button"
+                            tabIndex={isExpanded ? 0 : -1}
+                            aria-label={
+                              areAllToolsDeferred
+                                ? localize('com_ui_mcp_undefer_all')
+                                : localize('com_ui_mcp_defer_all')
+                            }
+                            aria-pressed={areAllToolsDeferred}
+                            className={cn(
+                              'flex h-7 w-7 items-center justify-center rounded transition-colors duration-200',
+                              'focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-1',
+                              isExpanded ? 'visible' : 'pointer-events-none invisible',
+                              areAllToolsDeferred
+                                ? 'bg-amber-500/20 text-amber-500 hover:bg-amber-500/30'
+                                : 'text-text-tertiary hover:bg-surface-hover hover:text-text-primary',
+                            )}
+                            onClick={(e) => {
+                              e.stopPropagation();
+                              toggleDeferAll();
+                            }}
+                            onKeyDown={(e) => {
+                              if (e.key === 'Enter' || e.key === ' ') {
+                                e.preventDefault();
+                                e.stopPropagation();
+                                toggleDeferAll();
+                              }
+                            }}
+                          >
+                            <Clock
+                              className={cn('h-4 w-4', areAllToolsDeferred && 'fill-amber-500/30')}
+                            />
+                          </TooltipAnchor>
+                        )}
+
                         <div className="flex items-center gap-1">
                           {/* Caret button for accordion */}
                           <AccordionPrimitive.Trigger asChild>
@@ -230,52 +352,97 @@ export default function MCPTool({ serverInfo }: { serverInfo?: MCPServerInfo })
 
           <AccordionContent className="relative ml-1 pt-1 before:absolute before:bottom-2 before:left-0 before:top-0 before:w-0.5 before:bg-border-medium">
             <div className="space-y-1">
-              {serverInfo.tools?.map((subTool) => (
-                <label
-                  key={subTool.tool_id}
-                  htmlFor={subTool.tool_id}
-                  className={cn(
-                    'group/item border-token-border-light hover:bg-token-surface-secondary flex cursor-pointer items-center rounded-lg border p-2',
-                    'ml-2 mr-1 focus-within:ring-2 focus-within:ring-ring focus-within:ring-offset-2 focus-within:ring-offset-background',
-                  )}
-                  onClick={(e) => e.stopPropagation()}
-                  onKeyDown={(e) => {
-                    e.stopPropagation();
-                  }}
-                >
-                  <Checkbox
-                    id={subTool.tool_id}
-                    checked={selectedTools.includes(subTool.tool_id)}
-                    onCheckedChange={(_checked) => {
-                      const newSelectedTools = selectedTools.includes(subTool.tool_id)
-                        ? selectedTools.filter((t) => t !== subTool.tool_id)
-                        : [...selectedTools, subTool.tool_id];
-                      updateFormTools(newSelectedTools);
-                    }}
+              {serverInfo.tools?.map((subTool) => {
+                const isDeferred = deferredToolsEnabled && isToolDeferred(subTool.tool_id);
+                return (
+                  <label
+                    key={subTool.tool_id}
+                    htmlFor={subTool.tool_id}
+                    className={cn(
+                      'group/item flex cursor-pointer items-center rounded-lg border p-2',
+                      'ml-2 mr-1 focus-within:ring-2 focus-within:ring-ring focus-within:ring-offset-2 focus-within:ring-offset-background',
+                      isDeferred
+                        ? 'border-amber-500/50 bg-amber-500/5 hover:bg-amber-500/10'
+                        : 'border-token-border-light hover:bg-token-surface-secondary',
+                    )}
+                    onClick={(e) => e.stopPropagation()}
                     onKeyDown={(e) => {
                       e.stopPropagation();
-                      if (e.key === 'Enter' || e.key === ' ') {
-                        e.preventDefault();
-                        const checkbox = e.currentTarget as HTMLButtonElement;
-                        checkbox.click();
-                      }
                     }}
-                    onClick={(e) => e.stopPropagation()}
-                    className={cn(
-                      'relative float-left mr-2 inline-flex h-4 w-4 cursor-pointer rounded border border-border-medium transition-[border-color] duration-200 hover:border-border-heavy focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 focus:ring-offset-background',
-                    )}
-                    aria-label={subTool.metadata.name}
-                  />
-                  <span className="text-token-text-primary select-none">
-                    {subTool.metadata.name}
-                  </span>
-                  {subTool.metadata.description && (
-                    <div className="ml-auto flex items-center opacity-0 transition-opacity duration-200 group-focus-within/item:opacity-100 group-hover/item:opacity-100">
-                      <InfoHoverCard side={ESide.Left} text={subTool.metadata.description} />
+                  >
+                    <Checkbox
+                      id={subTool.tool_id}
+                      checked={selectedTools.includes(subTool.tool_id)}
+                      onCheckedChange={(_checked) => {
+                        const newSelectedTools = selectedTools.includes(subTool.tool_id)
+                          ? selectedTools.filter((t) => t !== subTool.tool_id)
+                          : [...selectedTools, subTool.tool_id];
+                        updateFormTools(newSelectedTools);
+                      }}
+                      onKeyDown={(e) => {
+                        e.stopPropagation();
+                        if (e.key === 'Enter' || e.key === ' ') {
+                          e.preventDefault();
+                          const checkbox = e.currentTarget as HTMLButtonElement;
+                          checkbox.click();
+                        }
+                      }}
+                      onClick={(e) => e.stopPropagation()}
+                      className={cn(
+                        'relative float-left mr-2 inline-flex h-4 w-4 cursor-pointer rounded border border-border-medium transition-[border-color] duration-200 hover:border-border-heavy focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 focus:ring-offset-background',
+                      )}
+                      aria-label={subTool.metadata.name}
+                    />
+                    <span className="text-token-text-primary flex-1 select-none">
+                      {subTool.metadata.name}
+                    </span>
+                    <div className="ml-auto flex items-center gap-1">
+                      {/* Per-tool defer toggle - icon only */}
+                      {deferredToolsEnabled && (
+                        <TooltipAnchor
+                          description={
+                            isDeferred
+                              ? localize('com_ui_mcp_click_to_undefer')
+                              : localize('com_ui_mcp_click_to_defer')
+                          }
+                          side="top"
+                          role="button"
+                          aria-label={
+                            isDeferred
+                              ? localize('com_ui_mcp_undefer')
+                              : localize('com_ui_mcp_defer_loading')
+                          }
+                          aria-pressed={isDeferred}
+                          className={cn(
+                            'flex h-6 w-6 items-center justify-center rounded transition-all duration-200',
+                            'focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-1',
+                            isDeferred
+                              ? 'bg-amber-500/20 text-amber-500 hover:bg-amber-500/30'
+                              : 'text-text-tertiary opacity-0 hover:bg-surface-hover hover:text-text-primary group-focus-within/item:opacity-100 group-hover/item:opacity-100',
+                          )}
+                          onClick={(e) => {
+                            e.stopPropagation();
+                            e.preventDefault();
+                            toggleToolDefer(subTool.tool_id);
+                          }}
+                          onKeyDown={(e) => {
+                            e.stopPropagation();
+                            if (e.key === 'Enter' || e.key === ' ') {
+                              e.preventDefault();
+                              toggleToolDefer(subTool.tool_id);
+                            }
+                          }}
+                        >
+                          <Clock className={cn('h-3.5 w-3.5', isDeferred && 'fill-amber-500/30')} />
+                        </TooltipAnchor>
+                      )}
+                      {subTool.metadata.description && (
+                        <InfoHoverCard side={ESide.Left} text={subTool.metadata.description} />
+                      )}
                     </div>
-                  )}
-                </label>
-              ))}
+                  </label>
+                );
+              })}
             </div>
           </AccordionContent>
         </AccordionItem>
diff --git a/client/src/components/SidePanel/Agents/__tests__/AgentFooter.spec.tsx b/client/src/components/SidePanel/Agents/__tests__/AgentFooter.spec.tsx
index 3425f5a75c36..8d882bffe8ef 100644
--- a/client/src/components/SidePanel/Agents/__tests__/AgentFooter.spec.tsx
+++ b/client/src/components/SidePanel/Agents/__tests__/AgentFooter.spec.tsx
@@ -174,7 +174,7 @@ jest.mock('~/components/Sharing', () => ({
     resourceType: ResourceType;
   }) => (
     <div
-      data-testid="grant-access-dialog"
+      data-testid={`grant-access-dialog-${resourceType}`}
       data-resource-db-id={resourceDbId}
       data-resource-id={resourceId}
       data-resource-name={resourceName}
@@ -274,7 +274,7 @@ describe('AgentFooter', () => {
       expect(screen.getByTestId('version-button')).toBeInTheDocument();
       expect(screen.getByTestId('delete-button')).toBeInTheDocument();
       expect(screen.queryByTestId('admin-settings')).not.toBeInTheDocument();
-      expect(screen.getByTestId('grant-access-dialog')).toBeInTheDocument();
+      expect(screen.getByTestId('grant-access-dialog-agent')).toBeInTheDocument();
       expect(screen.getByTestId('duplicate-button')).toBeInTheDocument();
       expect(screen.queryByTestId('spinner')).not.toBeInTheDocument();
     });
@@ -338,7 +338,7 @@ describe('AgentFooter', () => {
       expect(screen.getByText('Create')).toBeInTheDocument();
       expect(screen.queryByTestId('version-button')).not.toBeInTheDocument();
       expect(screen.queryByTestId('delete-button')).not.toBeInTheDocument();
-      expect(screen.queryByTestId('grant-access-dialog')).not.toBeInTheDocument();
+      expect(screen.queryByTestId('grant-access-dialog-agent')).not.toBeInTheDocument();
       expect(screen.queryByTestId('duplicate-agent')).not.toBeInTheDocument();
     });
 
@@ -346,7 +346,7 @@ describe('AgentFooter', () => {
       mockUseAuthContext.mockReturnValue(createAuthContext(mockUsers.admin));
       const { unmount } = render(<AgentFooter {...defaultProps} />);
       expect(screen.getByTestId('admin-settings')).toBeInTheDocument();
-      expect(screen.getByTestId('grant-access-dialog')).toBeInTheDocument();
+      expect(screen.getByTestId('grant-access-dialog-agent')).toBeInTheDocument();
 
       // Clean up the first render
       unmount();
@@ -363,7 +363,7 @@ describe('AgentFooter', () => {
         return undefined;
       });
       render(<AgentFooter {...defaultProps} />);
-      expect(screen.queryByTestId('grant-access-dialog')).toBeInTheDocument(); // Still shows because hasAccess is true
+      expect(screen.queryByTestId('grant-access-dialog-agent')).toBeInTheDocument(); // Still shows because hasAccess is true
       expect(screen.queryByTestId('duplicate-agent')).not.toBeInTheDocument(); // Should not show for different author
     });
 
@@ -392,7 +392,7 @@ describe('AgentFooter', () => {
         permissionBits: 0,
       });
       render(<AgentFooter {...defaultProps} />);
-      expect(screen.queryByTestId('grant-access-dialog')).not.toBeInTheDocument();
+      expect(screen.queryByTestId('grant-access-dialog-agent')).not.toBeInTheDocument();
     });
 
     test('hides action buttons when permissions are loading', () => {
@@ -419,7 +419,7 @@ describe('AgentFooter', () => {
       });
       render(<AgentFooter {...defaultProps} />);
       expect(screen.queryByTestId('delete-button')).not.toBeInTheDocument();
-      expect(screen.queryByTestId('grant-access-dialog')).not.toBeInTheDocument();
+      expect(screen.queryByTestId('grant-access-dialog-agent')).not.toBeInTheDocument();
       // Duplicate button should still show as it doesn't depend on permissions loading
       expect(screen.getByTestId('duplicate-button')).toBeInTheDocument();
     });
diff --git a/client/src/data-provider/roles.ts b/client/src/data-provider/roles.ts
index 46edcd2dc933..356d9bd14577 100644
--- a/client/src/data-provider/roles.ts
+++ b/client/src/data-provider/roles.ts
@@ -4,14 +4,15 @@ import {
   dataService,
   promptPermissionsSchema,
   memoryPermissionsSchema,
+  mcpServersPermissionsSchema,
   marketplacePermissionsSchema,
   peoplePickerPermissionsSchema,
-  mcpServersPermissionsSchema,
+  remoteAgentsPermissionsSchema,
 } from 'librechat-data-provider';
 import type {
-  UseQueryOptions,
-  UseMutationResult,
   QueryObserverResult,
+  UseMutationResult,
+  UseQueryOptions,
 } from '@tanstack/react-query';
 import type * as t from 'librechat-data-provider';
 
@@ -243,3 +244,39 @@ export const useUpdateMarketplacePermissionsMutation = (
     },
   );
 };
+
+export const useUpdateRemoteAgentsPermissionsMutation = (
+  options?: t.UpdateRemoteAgentsPermOptions,
+): UseMutationResult<
+  t.UpdatePermResponse,
+  t.TError | undefined,
+  t.UpdateRemoteAgentsPermVars,
+  unknown
+> => {
+  const queryClient = useQueryClient();
+  const { onMutate, onSuccess, onError } = options ?? {};
+  return useMutation(
+    (variables) => {
+      remoteAgentsPermissionsSchema.partial().parse(variables.updates);
+      return dataService.updateRemoteAgentsPermissions(variables);
+    },
+    {
+      onSuccess: (data, variables, context) => {
+        queryClient.invalidateQueries([QueryKeys.roles, variables.roleName]);
+        if (onSuccess) {
+          onSuccess(data, variables, context);
+        }
+      },
+      onError: (...args) => {
+        const error = args[0];
+        if (error != null) {
+          console.error('Failed to update remote agents permissions:', error);
+        }
+        if (onError) {
+          onError(...args);
+        }
+      },
+      onMutate,
+    },
+  );
+};
diff --git a/client/src/hooks/Agents/__tests__/useAgentCapabilities.spec.ts b/client/src/hooks/Agents/__tests__/useAgentCapabilities.spec.ts
new file mode 100644
index 000000000000..d698d51bab13
--- /dev/null
+++ b/client/src/hooks/Agents/__tests__/useAgentCapabilities.spec.ts
@@ -0,0 +1,88 @@
+import { renderHook } from '@testing-library/react';
+import { AgentCapabilities } from 'librechat-data-provider';
+import useAgentCapabilities from '../useAgentCapabilities';
+
+describe('useAgentCapabilities', () => {
+  it('should return all capabilities as false when capabilities is undefined', () => {
+    const { result } = renderHook(() => useAgentCapabilities(undefined));
+
+    expect(result.current.toolsEnabled).toBe(false);
+    expect(result.current.actionsEnabled).toBe(false);
+    expect(result.current.artifactsEnabled).toBe(false);
+    expect(result.current.ocrEnabled).toBe(false);
+    expect(result.current.contextEnabled).toBe(false);
+    expect(result.current.fileSearchEnabled).toBe(false);
+    expect(result.current.webSearchEnabled).toBe(false);
+    expect(result.current.codeEnabled).toBe(false);
+    expect(result.current.deferredToolsEnabled).toBe(false);
+  });
+
+  it('should return all capabilities as false when capabilities is empty array', () => {
+    const { result } = renderHook(() => useAgentCapabilities([]));
+
+    expect(result.current.toolsEnabled).toBe(false);
+    expect(result.current.deferredToolsEnabled).toBe(false);
+  });
+
+  it('should return true for enabled capabilities', () => {
+    const capabilities = [
+      AgentCapabilities.tools,
+      AgentCapabilities.deferred_tools,
+      AgentCapabilities.file_search,
+    ];
+
+    const { result } = renderHook(() => useAgentCapabilities(capabilities));
+
+    expect(result.current.toolsEnabled).toBe(true);
+    expect(result.current.deferredToolsEnabled).toBe(true);
+    expect(result.current.fileSearchEnabled).toBe(true);
+    expect(result.current.actionsEnabled).toBe(false);
+    expect(result.current.webSearchEnabled).toBe(false);
+  });
+
+  it('should return deferredToolsEnabled as true when deferred_tools is in capabilities', () => {
+    const capabilities = [AgentCapabilities.deferred_tools];
+
+    const { result } = renderHook(() => useAgentCapabilities(capabilities));
+
+    expect(result.current.deferredToolsEnabled).toBe(true);
+  });
+
+  it('should return deferredToolsEnabled as false when deferred_tools is not in capabilities', () => {
+    const capabilities = [
+      AgentCapabilities.tools,
+      AgentCapabilities.actions,
+      AgentCapabilities.artifacts,
+    ];
+
+    const { result } = renderHook(() => useAgentCapabilities(capabilities));
+
+    expect(result.current.deferredToolsEnabled).toBe(false);
+  });
+
+  it('should handle all capabilities being enabled', () => {
+    const capabilities = [
+      AgentCapabilities.tools,
+      AgentCapabilities.actions,
+      AgentCapabilities.artifacts,
+      AgentCapabilities.ocr,
+      AgentCapabilities.context,
+      AgentCapabilities.file_search,
+      AgentCapabilities.web_search,
+      AgentCapabilities.execute_code,
+      AgentCapabilities.deferred_tools,
+    ];
+
+    const { result } = renderHook(() => useAgentCapabilities(capabilities));
+
+    expect(result.current.toolsEnabled).toBe(true);
+    expect(result.current.actionsEnabled).toBe(true);
+    expect(result.current.artifactsEnabled).toBe(true);
+    expect(result.current.ocrEnabled).toBe(true);
+    expect(result.current.contextEnabled).toBe(true);
+    expect(result.current.fileSearchEnabled).toBe(true);
+    expect(result.current.webSearchEnabled).toBe(true);
+    expect(result.current.codeEnabled).toBe(true);
+    expect(result.current.deferredToolsEnabled).toBe(true);
+  });
+});
diff --git a/client/src/hooks/Agents/useAgentCapabilities.ts b/client/src/hooks/Agents/useAgentCapabilities.ts
index 8d2bd6ef87ea..777e41fdfb49 100644
--- a/client/src/hooks/Agents/useAgentCapabilities.ts
+++ b/client/src/hooks/Agents/useAgentCapabilities.ts
@@ -10,6 +10,7 @@ interface AgentCapabilitiesResult {
   fileSearchEnabled: boolean;
   webSearchEnabled: boolean;
   codeEnabled: boolean;
+  deferredToolsEnabled: boolean;
 }
 
 export default function useAgentCapabilities(
@@ -55,6 +56,11 @@ export default function useAgentCapabilities(
     [capabilities],
   );
 
+  const deferredToolsEnabled = useMemo(
+    () => capabilities?.includes(AgentCapabilities.deferred_tools) ?? false,
+    [capabilities],
+  );
+
   return {
     ocrEnabled,
     codeEnabled,
@@ -64,5 +70,6 @@ export default function useAgentCapabilities(
     artifactsEnabled,
     webSearchEnabled,
     fileSearchEnabled,
+    deferredToolsEnabled,
   };
 }
diff --git a/client/src/hooks/SSE/useAttachmentHandler.ts b/client/src/hooks/SSE/useAttachmentHandler.ts
index 8ac9f35eb2ac..06261f4af6e3 100644
--- a/client/src/hooks/SSE/useAttachmentHandler.ts
+++ b/client/src/hooks/SSE/useAttachmentHandler.ts
@@ -1,7 +1,12 @@
 import { useSetRecoilState } from 'recoil';
 import type { QueryClient } from '@tanstack/react-query';
 import { QueryKeys, Tools } from 'librechat-data-provider';
-import type { TAttachment, EventSubmission, MemoriesResponse } from 'librechat-data-provider';
+import type {
+  MemoriesResponse,
+  EventSubmission,
+  TAttachment,
+  TFile,
+} from 'librechat-data-provider';
 import { handleMemoryArtifact } from '~/utils/memory';
 import store from '~/store';
 
@@ -11,9 +16,24 @@ export default function useAttachmentHandler(queryClient?: QueryClient) {
   return ({ data }: { data: TAttachment; submission: EventSubmission }) => {
     const { messageId } = data;
 
-    if (queryClient && data?.filepath && !data.filepath.includes('/api/files')) {
-      queryClient.setQueryData([QueryKeys.files], (oldData: TAttachment[] | undefined) => {
-        return [data, ...(oldData || [])];
+    const fileData = data as TFile;
+    if (
+      queryClient &&
+      fileData?.file_id &&
+      fileData?.filepath &&
+      !fileData.filepath.includes('/api/files')
+    ) {
+      queryClient.setQueryData([QueryKeys.files], (oldData: TFile[] | undefined) => {
+        if (!oldData) {
+          return [fileData];
+        }
+        const existingIndex = oldData.findIndex((file) => file.file_id === fileData.file_id);
+        if (existingIndex > -1) {
+          const updated = [...oldData];
+          updated[existingIndex] = { ...oldData[existingIndex], ...fileData };
+          return updated;
+        }
+        return [fileData, ...oldData];
       });
     }
 
diff --git a/client/src/hooks/Sharing/useCanSharePublic.ts b/client/src/hooks/Sharing/useCanSharePublic.ts
index 699ccc9e73af..54355dd9a848 100644
--- a/client/src/hooks/Sharing/useCanSharePublic.ts
+++ b/client/src/hooks/Sharing/useCanSharePublic.ts
@@ -1,10 +1,11 @@
 import { ResourceType, PermissionTypes, Permissions } from 'librechat-data-provider';
 import { useHasAccess } from '~/hooks';
 
-const resourceToPermissionMap: Record<ResourceType, PermissionTypes> = {
+const resourceToPermissionMap: Partial<Record<ResourceType, PermissionTypes>> = {
   [ResourceType.AGENT]: PermissionTypes.AGENTS,
   [ResourceType.PROMPTGROUP]: PermissionTypes.PROMPTS,
   [ResourceType.MCPSERVER]: PermissionTypes.MCP_SERVERS,
+  [ResourceType.REMOTE_AGENT]: PermissionTypes.REMOTE_AGENTS,
 };
 
 /**
diff --git a/client/src/locales/en/translation.json b/client/src/locales/en/translation.json
index addf32e08adb..87f137145324 100644
--- a/client/src/locales/en/translation.json
+++ b/client/src/locales/en/translation.json
@@ -708,6 +708,21 @@
   "com_ui_analyzing": "Analyzing",
   "com_ui_analyzing_finished": "Finished analyzing",
   "com_ui_api_key": "API Key",
+  "com_ui_api_key_copied": "API key copied to clipboard",
+  "com_ui_api_key_create_error": "Failed to create API key",
+  "com_ui_api_key_created": "API key created successfully",
+  "com_ui_api_key_delete_error": "Failed to delete API key",
+  "com_ui_api_key_deleted": "API key deleted successfully",
+  "com_ui_api_key_name": "Key Name",
+  "com_ui_api_key_name_placeholder": "My API Key",
+  "com_ui_api_key_name_required": "API key name is required",
+  "com_ui_api_key_warning": "Make sure to copy your API key now. You won't be able to see it again!",
+  "com_ui_api_keys_load_error": "Failed to load API keys",
+  "com_ui_agent_api_keys": "Agent API Keys",
+  "com_ui_agent_api_keys_description": "Create API keys to access agents remotely via the API",
+  "com_ui_create_api_key": "Create API Key",
+  "com_ui_no_api_keys": "No API keys yet. Create one to get started.",
+  "com_ui_your_api_key": "Your API Key",
   "com_ui_archive": "Archive",
   "com_ui_archive_delete_error": "Failed to delete archived conversation",
   "com_ui_archive_error": "Failed to archive conversation",
@@ -838,6 +853,7 @@
   "com_ui_copy_to_clipboard": "Copy to clipboard",
   "com_ui_copy_url_to_clipboard": "Copy URL to clipboard",
   "com_ui_create": "Create",
+  "com_ui_created": "Created",
   "com_ui_create_assistant": "Create Assistant",
   "com_ui_create_link": "Create link",
   "com_ui_create_memory": "Create Memory",
@@ -1022,6 +1038,7 @@
   "com_ui_hide_image_details": "Hide Image Details",
   "com_ui_hide_password": "Hide password",
   "com_ui_hide_qr": "Hide QR Code",
+  "com_ui_hide": "Hide",
   "com_ui_high": "High",
   "com_ui_host": "Host",
   "com_ui_icon": "Icon",
@@ -1043,6 +1060,7 @@
   "com_ui_instructions": "Instructions",
   "com_ui_key": "Key",
   "com_ui_key_required": "API key is required",
+  "com_ui_last_used": "Last used",
   "com_ui_late_night": "Happy late night",
   "com_ui_latest_footer": "Every AI for Everyone.",
   "com_ui_latest_production_version": "Latest production version",
@@ -1088,6 +1106,13 @@
   "com_ui_mcp_server_role_viewer": "MCP Server Viewer",
   "com_ui_mcp_server_role_viewer_desc": "Can view and use MCP servers",
   "com_ui_mcp_server_updated": "MCP server updated successfully",
+  "com_ui_remote_access": "Remote Access",
+  "com_ui_remote_agent_role_owner": "API Owner",
+  "com_ui_remote_agent_role_owner_desc": "Full API access and can grant remote access to others",
+  "com_ui_remote_agent_role_editor": "Editor",
+  "com_ui_remote_agent_role_editor_desc": "Can view and modify the agent via API",
+  "com_ui_remote_agent_role_viewer": "API Viewer",
+  "com_ui_remote_agent_role_viewer_desc": "Can query the agent via API",
   "com_ui_mcp_server_url_placeholder": "https://mcp.example.com",
   "com_ui_mcp_servers": "MCP Servers",
   "com_ui_mcp_servers_allow_create": "Allow users to create MCP servers",
@@ -1100,6 +1125,13 @@
   "com_ui_mcp_type_streamable_http": "Streamable HTTPS",
   "com_ui_mcp_update_var": "Update {{0}}",
   "com_ui_mcp_url": "MCP Server URL",
+  "com_ui_mcp_defer_loading": "Defer loading",
+  "com_ui_mcp_defer": "Defer",
+  "com_ui_mcp_defer_all": "Defer all tools",
+  "com_ui_mcp_undefer": "Undefer",
+  "com_ui_mcp_undefer_all": "Undefer all tools",
+  "com_ui_mcp_click_to_defer": "Click to defer - tool will be discoverable via search but not loaded until needed",
+  "com_ui_mcp_click_to_undefer": "Click to undefer - tool will be loaded immediately",
   "com_ui_medium": "Medium",
   "com_ui_memories": "Memories",
   "com_ui_memories_allow_create": "Allow creating Memories",
@@ -1230,6 +1262,11 @@
   "com_ui_regenerating": "Regenerating...",
   "com_ui_region": "Region",
   "com_ui_reinitialize": "Reinitialize",
+  "com_ui_remote_agents": "Remote Agents (API)",
+  "com_ui_remote_agents_allow_use": "Allow users to create API keys and query agents remotely",
+  "com_ui_remote_agents_allow_create": "Allow users to create agents via API",
+  "com_ui_remote_agents_allow_share": "Allow users to grant API access to agents to others",
+  "com_ui_remote_agents_allow_share_public": "Allow users to grant API access to agents to all users",
   "com_ui_remove_agent_from_chain": "Remove {{0}} from chain",
   "com_ui_remove_user": "Remove {{0}}",
   "com_ui_rename": "Rename",
@@ -1319,6 +1356,7 @@
   "com_ui_shared_link_not_found": "Shared link not found",
   "com_ui_shared_prompts": "Shared Prompts",
   "com_ui_shop": "Shopping",
+  "com_ui_show": "Show",
   "com_ui_show_all": "Show All",
   "com_ui_show_code": "Show Code",
   "com_ui_show_image_details": "Show Image Details",
diff --git a/client/src/utils/resources.ts b/client/src/utils/resources.ts
index f7c3586dfb54..9b68cef3f642 100644
--- a/client/src/utils/resources.ts
+++ b/client/src/utils/resources.ts
@@ -47,6 +47,19 @@ export const RESOURCE_CONFIGS: Record<ResourceType, ResourceConfig> = {
       `Manage permissions for ${name && name !== '' ? `"${name}"` : 'MCP server'}`,
     getCopyUrlMessage: () => 'MCP Server URL copied',
   },
+  [ResourceType.REMOTE_AGENT]: {
+    resourceType: ResourceType.REMOTE_AGENT,
+    defaultViewerRoleId: AccessRoleIds.REMOTE_AGENT_VIEWER,
+    defaultEditorRoleId: AccessRoleIds.REMOTE_AGENT_EDITOR,
+    defaultOwnerRoleId: AccessRoleIds.REMOTE_AGENT_OWNER,
+    getResourceUrl: () => `${window.location.origin}/api/v1/responses`,
+    getResourceName: (name?: string) => (name && name !== '' ? `"${name}"` : 'remote agent'),
+    getShareMessage: (name?: string) =>
+      name && name !== '' ? `"${name}" (API Access)` : 'remote agent access',
+    getManageMessage: (name?: string) =>
+      `Manage API access for ${name && name !== '' ? `"${name}"` : 'agent'}`,
+    getCopyUrlMessage: () => 'API endpoint copied',
+  },
 };
 
 export const getResourceConfig = (resourceType: ResourceType): ResourceConfig | undefined => {
diff --git a/client/src/utils/roles.ts b/client/src/utils/roles.ts
index 8bc38b7d522e..1e8cb3d3b2d4 100644
--- a/client/src/utils/roles.ts
+++ b/client/src/utils/roles.ts
@@ -48,6 +48,18 @@ export const ROLE_LOCALIZATIONS = {
     name: 'com_ui_mcp_server_role_owner' as const,
     description: 'com_ui_mcp_server_role_owner_desc' as const,
   } as const,
+  remoteAgent_viewer: {
+    name: 'com_ui_remote_agent_role_viewer' as const,
+    description: 'com_ui_remote_agent_role_viewer_desc' as const,
+  } as const,
+  remoteAgent_editor: {
+    name: 'com_ui_remote_agent_role_editor' as const,
+    description: 'com_ui_remote_agent_role_editor_desc' as const,
+  } as const,
+  remoteAgent_owner: {
+    name: 'com_ui_remote_agent_role_owner' as const,
+    description: 'com_ui_remote_agent_role_owner_desc' as const,
+  } as const,
 };
 
 /**
diff --git a/config/delete-user.js b/config/delete-user.js
index 2d4dea0b37fb..5ad85577a423 100644
--- a/config/delete-user.js
+++ b/config/delete-user.js
@@ -23,6 +23,7 @@ const {
   PluginAuth,
   MemoryEntry,
   PromptGroup,
+  AgentApiKey,
   Transaction,
   Conversation,
   ConversationTag,
@@ -79,6 +80,7 @@ async function gracefulExit(code = 0) {
   const tasks = [
     Action.deleteMany({ user: uid }),
     Agent.deleteMany({ author: uid }),
+    AgentApiKey.deleteMany({ user: uid }),
     Assistant.deleteMany({ user: uid }),
     Balance.deleteMany({ user: uid }),
     ConversationTag.deleteMany({ user: uid }),
diff --git a/librechat.example.yaml b/librechat.example.yaml
index c90ab6592a7d..9acce96624c4 100644
--- a/librechat.example.yaml
+++ b/librechat.example.yaml
@@ -446,18 +446,32 @@ endpoints:
   # AWS Bedrock Example
   # Note: Bedrock endpoint is configured via environment variables
   # bedrock:
+  #   # Models Configuration
+  #   # Specify which models are available (equivalent to BEDROCK_AWS_MODELS env variable)
+  #   models:
+  #     - "anthropic.claude-3-7-sonnet-20250219-v1:0"
+  #     - "anthropic.claude-3-5-sonnet-20241022-v2:0"
+  #
+  #   # Inference Profiles Configuration
+  #   # Maps model IDs to their inference profile ARNs
+  #   # IMPORTANT: The model ID (key) MUST be a valid AWS Bedrock model ID that you've added to the models list above
+  #   # The ARN (value) is the inference profile you wish to map to for that model
+  #   # Both the model ID and ARN are sent to AWS - the model ID for validation/metadata, the ARN for routing
+  #   inferenceProfiles:
+  #     "us.anthropic.claude-sonnet-4-20250514-v1:0": "${BEDROCK_INFERENCE_PROFILE_CLAUDE_SONNET}"
+  #     "anthropic.claude-3-7-sonnet-20250219-v1:0": "arn:aws:bedrock:us-west-2:123456789012:application-inference-profile/abc123"
+  #
   #   # Guardrail Configuration
   #   guardrailConfig:
   #     guardrailIdentifier: "your-guardrail-id"
   #     guardrailVersion: "1"
-  #     
+  #
   #     # Trace behavior for debugging (optional)
   #     # - "enabled": Include basic trace information about guardrail assessments
   #     # - "enabled_full": Include comprehensive trace details (recommended for debugging)
   #     # - "disabled": No trace information (default)
   #     # Trace output is logged to application log files for compliance auditing
   #     trace: "enabled"
-
 # Example modelSpecs configuration showing grouping options
 # The 'group' field organizes model specs in the UI selector:
 # - If 'group' matches an endpoint name (e.g., "openAI", "groq"), the spec appears nested under that endpoint
diff --git a/package-lock.json b/package-lock.json
index 890370749f80..0dd62f9427c2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -50,7 +50,7 @@
       "dependencies": {
         "@anthropic-ai/sdk": "^0.71.0",
         "@anthropic-ai/vertex-sdk": "^0.14.0",
-        "@aws-sdk/client-bedrock-runtime": "^3.941.0",
+        "@aws-sdk/client-bedrock-runtime": "^3.970.0",
         "@aws-sdk/client-s3": "^3.758.0",
         "@aws-sdk/s3-request-presigner": "^3.758.0",
         "@azure/identity": "^4.7.0",
@@ -59,7 +59,7 @@
         "@google/genai": "^1.19.0",
         "@keyv/redis": "^4.3.3",
         "@langchain/core": "^0.3.80",
-        "@librechat/agents": "^3.0.776",
+        "@librechat/agents": "^3.1.0",
         "@librechat/api": "*",
         "@librechat/data-schemas": "*",
         "@microsoft/microsoft-graph-client": "^3.0.7",
@@ -2388,238 +2388,56 @@
       }
     },
     "node_modules/@aws-sdk/client-bedrock-agent-runtime": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-bedrock-agent-runtime/-/client-bedrock-agent-runtime-3.927.0.tgz",
-      "integrity": "sha512-k2UeG/+Ka74jztHDzYNrpNLDSsMCst+ph3+e7uAX5Jmo40tVKa+sVu4DkV3BIXuktc6jqM1ewtfPNug79kN6JQ==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-bedrock-agent-runtime/-/client-bedrock-agent-runtime-3.970.0.tgz",
+      "integrity": "sha512-tsBc43edhhvOVyUP5l9HcRvPIzd1jg2BZCRh4tUlThjxXLsTWUrLvR2vswvv8l3RPKWkj7nz//scTNXDVJPRtQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/credential-provider-node": "3.927.0",
-        "@aws-sdk/middleware-host-header": "3.922.0",
-        "@aws-sdk/middleware-logger": "3.922.0",
-        "@aws-sdk/middleware-recursion-detection": "3.922.0",
-        "@aws-sdk/middleware-user-agent": "3.927.0",
-        "@aws-sdk/region-config-resolver": "3.925.0",
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/util-endpoints": "3.922.0",
-        "@aws-sdk/util-user-agent-browser": "3.922.0",
-        "@aws-sdk/util-user-agent-node": "3.927.0",
-        "@smithy/config-resolver": "^4.4.2",
-        "@smithy/core": "^3.17.2",
-        "@smithy/eventstream-serde-browser": "^4.2.4",
-        "@smithy/eventstream-serde-config-resolver": "^4.3.4",
-        "@smithy/eventstream-serde-node": "^4.2.4",
-        "@smithy/fetch-http-handler": "^5.3.5",
-        "@smithy/hash-node": "^4.2.4",
-        "@smithy/invalid-dependency": "^4.2.4",
-        "@smithy/middleware-content-length": "^4.2.4",
-        "@smithy/middleware-endpoint": "^4.3.6",
-        "@smithy/middleware-retry": "^4.4.6",
-        "@smithy/middleware-serde": "^4.2.4",
-        "@smithy/middleware-stack": "^4.2.4",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/node-http-handler": "^4.4.4",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/smithy-client": "^4.9.2",
-        "@smithy/types": "^4.8.1",
-        "@smithy/url-parser": "^4.2.4",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/credential-provider-node": "3.970.0",
+        "@aws-sdk/middleware-host-header": "3.969.0",
+        "@aws-sdk/middleware-logger": "3.969.0",
+        "@aws-sdk/middleware-recursion-detection": "3.969.0",
+        "@aws-sdk/middleware-user-agent": "3.970.0",
+        "@aws-sdk/region-config-resolver": "3.969.0",
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-endpoints": "3.970.0",
+        "@aws-sdk/util-user-agent-browser": "3.969.0",
+        "@aws-sdk/util-user-agent-node": "3.970.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/core": "^3.20.6",
+        "@smithy/eventstream-serde-browser": "^4.2.8",
+        "@smithy/eventstream-serde-config-resolver": "^4.3.8",
+        "@smithy/eventstream-serde-node": "^4.2.8",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/hash-node": "^4.2.8",
+        "@smithy/invalid-dependency": "^4.2.8",
+        "@smithy/middleware-content-length": "^4.2.8",
+        "@smithy/middleware-endpoint": "^4.4.7",
+        "@smithy/middleware-retry": "^4.4.23",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/middleware-stack": "^4.2.8",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-body-length-browser": "^4.2.0",
         "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.5",
-        "@smithy/util-defaults-mode-node": "^4.2.8",
-        "@smithy/util-endpoints": "^3.2.4",
-        "@smithy/util-middleware": "^4.2.4",
-        "@smithy/util-retry": "^4.2.4",
+        "@smithy/util-defaults-mode-browser": "^4.3.22",
+        "@smithy/util-defaults-mode-node": "^4.2.25",
+        "@smithy/util-endpoints": "^3.2.8",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-retry": "^4.2.8",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/core": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.927.0.tgz",
-      "integrity": "sha512-QOtR9QdjNeC7bId3fc/6MnqoEezvQ2Fk+x6F+Auf7NhOxwYAtB1nvh0k3+gJHWVGpfxN1I8keahRZd79U68/ag==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/xml-builder": "3.921.0",
-        "@smithy/core": "^3.17.2",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/signature-v4": "^5.3.4",
-        "@smithy/smithy-client": "^4.9.2",
-        "@smithy/types": "^4.8.1",
-        "@smithy/util-base64": "^4.3.0",
-        "@smithy/util-middleware": "^4.2.4",
-        "@smithy/util-utf8": "^4.2.0",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/middleware-host-header": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.922.0.tgz",
-      "integrity": "sha512-HPquFgBnq/KqKRVkiuCt97PmWbKtxQ5iUNLEc6FIviqOoZTmaYG3EDsIbuFBz9C4RHJU4FKLmHL2bL3FEId6AA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/middleware-logger": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.922.0.tgz",
-      "integrity": "sha512-AkvYO6b80FBm5/kk2E636zNNcNgjztNNUxpqVx+huyGn9ZqGTzS4kLqW2hO6CBe5APzVtPCtiQsXL24nzuOlAg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/middleware-recursion-detection": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.922.0.tgz",
-      "integrity": "sha512-TtSCEDonV/9R0VhVlCpxZbp/9sxQvTTRKzIf8LxW3uXpby6Wl8IxEciBJlxmSkoqxh542WRcko7NYODlvL/gDA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@aws/lambda-invoke-store": "^0.1.1",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/middleware-user-agent": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.927.0.tgz",
-      "integrity": "sha512-sv6St9EgEka6E7y19UMCsttFBZ8tsmz2sstgRd7LztlX3wJynpeDUhq0gtedguG1lGZY/gDf832k5dqlRLUk7g==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/util-endpoints": "3.922.0",
-        "@smithy/core": "^3.17.2",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/region-config-resolver": {
-      "version": "3.925.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.925.0.tgz",
-      "integrity": "sha512-FOthcdF9oDb1pfQBRCfWPZhJZT5wqpvdAS5aJzB1WDZ+6EuaAhLzLH/fW1slDunIqq1PSQGG3uSnVglVVOvPHQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/config-resolver": "^4.4.2",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/types": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.922.0.tgz",
-      "integrity": "sha512-eLA6XjVobAUAMivvM7DBL79mnHyrm+32TkXNWZua5mnxF+6kQCfblKKJvxMZLGosO53/Ex46ogim8IY5Nbqv2w==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/util-endpoints": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.922.0.tgz",
-      "integrity": "sha512-4ZdQCSuNMY8HMlR1YN4MRDdXuKd+uQTeKIr5/pIM+g3TjInZoj8imvXudjcrFGA63UF3t92YVTkBq88mg58RXQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/types": "^4.8.1",
-        "@smithy/url-parser": "^4.2.4",
-        "@smithy/util-endpoints": "^3.2.4",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/util-user-agent-browser": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.922.0.tgz",
-      "integrity": "sha512-qOJAERZ3Plj1st7M4Q5henl5FRpE30uLm6L9edZqZXGR6c7ry9jzexWamWVpQ4H4xVAVmiO9dIEBAfbq4mduOA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/types": "^4.8.1",
-        "bowser": "^2.11.0",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/util-user-agent-node": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.927.0.tgz",
-      "integrity": "sha512-5Ty+29jBTHg1mathEhLJavzA7A7vmhephRYGenFzo8rApLZh+c+MCAqjddSjdDzcf5FH+ydGGnIrj4iIfbZIMQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/middleware-user-agent": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      },
-      "peerDependencies": {
-        "aws-crt": ">=1.0.0"
-      },
-      "peerDependenciesMeta": {
-        "aws-crt": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@aws-sdk/xml-builder": {
-      "version": "3.921.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.921.0.tgz",
-      "integrity": "sha512-LVHg0jgjyicKKvpNIEMXIMr1EBViESxcPkqfOlT+X1FkmUMTNZEEVF18tOJg4m4hV5vxtkWcqtr4IEeWa1C41Q==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@smithy/types": "^4.8.1",
-        "fast-xml-parser": "5.2.5",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/@smithy/is-array-buffer": {
@@ -2660,115 +2478,62 @@
         "node": ">=18.0.0"
       }
     },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/fast-xml-parser": {
-      "version": "5.2.5",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.2.5.tgz",
-      "integrity": "sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "dependencies": {
-        "strnum": "^2.1.0"
-      },
-      "bin": {
-        "fxparser": "src/cli/cli.js"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-agent-runtime/node_modules/strnum": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.1.1.tgz",
-      "integrity": "sha512-7ZvoFTiCnGxBtDqJ//Cu6fWtZtc7Y3x+QOirG15wztbdngGSkht27o2pyGWrVy0b4WAy3jbKmnoK6g5VlVNUUw==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/@aws-sdk/client-bedrock-runtime": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-bedrock-runtime/-/client-bedrock-runtime-3.958.0.tgz",
-      "integrity": "sha512-GmcgfGsBvZ+ZJv/AS62MugfMnIO3sA6cbW1gfAWgyaGrQH0mo5Tb1S437sm0uBFHgKWRZPrc1DovXKD45B0mEw==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-bedrock-runtime/-/client-bedrock-runtime-3.970.0.tgz",
+      "integrity": "sha512-OJB+Ng2tgobBSvczt8gb4RGqS3AgrBalx/Y/KpIFWBT5fxc67cupKqbsz0nRpjNKR1AGQnPOiz2GyNyBg7KmVw==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/credential-provider-node": "3.958.0",
-        "@aws-sdk/eventstream-handler-node": "3.957.0",
-        "@aws-sdk/middleware-eventstream": "3.957.0",
-        "@aws-sdk/middleware-host-header": "3.957.0",
-        "@aws-sdk/middleware-logger": "3.957.0",
-        "@aws-sdk/middleware-recursion-detection": "3.957.0",
-        "@aws-sdk/middleware-user-agent": "3.957.0",
-        "@aws-sdk/middleware-websocket": "3.957.0",
-        "@aws-sdk/region-config-resolver": "3.957.0",
-        "@aws-sdk/token-providers": "3.958.0",
-        "@aws-sdk/types": "3.957.0",
-        "@aws-sdk/util-endpoints": "3.957.0",
-        "@aws-sdk/util-user-agent-browser": "3.957.0",
-        "@aws-sdk/util-user-agent-node": "3.957.0",
-        "@smithy/config-resolver": "^4.4.5",
-        "@smithy/core": "^3.20.0",
-        "@smithy/eventstream-serde-browser": "^4.2.7",
-        "@smithy/eventstream-serde-config-resolver": "^4.3.7",
-        "@smithy/eventstream-serde-node": "^4.2.7",
-        "@smithy/fetch-http-handler": "^5.3.8",
-        "@smithy/hash-node": "^4.2.7",
-        "@smithy/invalid-dependency": "^4.2.7",
-        "@smithy/middleware-content-length": "^4.2.7",
-        "@smithy/middleware-endpoint": "^4.4.1",
-        "@smithy/middleware-retry": "^4.4.17",
-        "@smithy/middleware-serde": "^4.2.8",
-        "@smithy/middleware-stack": "^4.2.7",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/node-http-handler": "^4.4.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
-        "@smithy/url-parser": "^4.2.7",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/credential-provider-node": "3.970.0",
+        "@aws-sdk/eventstream-handler-node": "3.969.0",
+        "@aws-sdk/middleware-eventstream": "3.969.0",
+        "@aws-sdk/middleware-host-header": "3.969.0",
+        "@aws-sdk/middleware-logger": "3.969.0",
+        "@aws-sdk/middleware-recursion-detection": "3.969.0",
+        "@aws-sdk/middleware-user-agent": "3.970.0",
+        "@aws-sdk/middleware-websocket": "3.969.0",
+        "@aws-sdk/region-config-resolver": "3.969.0",
+        "@aws-sdk/token-providers": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-endpoints": "3.970.0",
+        "@aws-sdk/util-user-agent-browser": "3.969.0",
+        "@aws-sdk/util-user-agent-node": "3.970.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/core": "^3.20.6",
+        "@smithy/eventstream-serde-browser": "^4.2.8",
+        "@smithy/eventstream-serde-config-resolver": "^4.3.8",
+        "@smithy/eventstream-serde-node": "^4.2.8",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/hash-node": "^4.2.8",
+        "@smithy/invalid-dependency": "^4.2.8",
+        "@smithy/middleware-content-length": "^4.2.8",
+        "@smithy/middleware-endpoint": "^4.4.7",
+        "@smithy/middleware-retry": "^4.4.23",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/middleware-stack": "^4.2.8",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-body-length-browser": "^4.2.0",
         "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.16",
-        "@smithy/util-defaults-mode-node": "^4.2.19",
-        "@smithy/util-endpoints": "^3.2.7",
-        "@smithy/util-middleware": "^4.2.7",
-        "@smithy/util-retry": "^4.2.7",
-        "@smithy/util-stream": "^4.5.8",
+        "@smithy/util-defaults-mode-browser": "^4.3.22",
+        "@smithy/util-defaults-mode-node": "^4.2.25",
+        "@smithy/util-endpoints": "^3.2.8",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-retry": "^4.2.8",
+        "@smithy/util-stream": "^4.5.10",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-bedrock-runtime/node_modules/@aws-sdk/credential-provider-node": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.958.0.tgz",
-      "integrity": "sha512-vdoZbNG2dt66I7EpN3fKCzi6fp9xjIiwEA/vVVgqO4wXCGw8rKPIdDUus4e13VvTr330uQs2W0UNg/7AgtquEQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/credential-provider-env": "3.957.0",
-        "@aws-sdk/credential-provider-http": "3.957.0",
-        "@aws-sdk/credential-provider-ini": "3.958.0",
-        "@aws-sdk/credential-provider-process": "3.957.0",
-        "@aws-sdk/credential-provider-sso": "3.958.0",
-        "@aws-sdk/credential-provider-web-identity": "3.958.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/credential-provider-imds": "^4.2.7",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/shared-ini-file-loader": "^4.4.2",
-        "@smithy/types": "^4.11.0",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/client-bedrock-runtime/node_modules/@smithy/is-array-buffer": {
@@ -2810,236 +2575,53 @@
       }
     },
     "node_modules/@aws-sdk/client-kendra": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-kendra/-/client-kendra-3.927.0.tgz",
-      "integrity": "sha512-DWyNlC6BFhzoDkyKZ3xv0BC/xcXF3Tpq6j6Z42DXO9KEUjiGmC3se9l/GFEVtRLh/DR4p7cTJsxzA2QNuthRNg==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-kendra/-/client-kendra-3.970.0.tgz",
+      "integrity": "sha512-AXhLG5RVCco4Ra7kRXzF2S6B6XwGucrjSRRj8s1my9+VuHnC6b/r1EEw11viFG26tB+ISJd5r4cB7NA2SOEjeg==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/credential-provider-node": "3.927.0",
-        "@aws-sdk/middleware-host-header": "3.922.0",
-        "@aws-sdk/middleware-logger": "3.922.0",
-        "@aws-sdk/middleware-recursion-detection": "3.922.0",
-        "@aws-sdk/middleware-user-agent": "3.927.0",
-        "@aws-sdk/region-config-resolver": "3.925.0",
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/util-endpoints": "3.922.0",
-        "@aws-sdk/util-user-agent-browser": "3.922.0",
-        "@aws-sdk/util-user-agent-node": "3.927.0",
-        "@smithy/config-resolver": "^4.4.2",
-        "@smithy/core": "^3.17.2",
-        "@smithy/fetch-http-handler": "^5.3.5",
-        "@smithy/hash-node": "^4.2.4",
-        "@smithy/invalid-dependency": "^4.2.4",
-        "@smithy/middleware-content-length": "^4.2.4",
-        "@smithy/middleware-endpoint": "^4.3.6",
-        "@smithy/middleware-retry": "^4.4.6",
-        "@smithy/middleware-serde": "^4.2.4",
-        "@smithy/middleware-stack": "^4.2.4",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/node-http-handler": "^4.4.4",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/smithy-client": "^4.9.2",
-        "@smithy/types": "^4.8.1",
-        "@smithy/url-parser": "^4.2.4",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/credential-provider-node": "3.970.0",
+        "@aws-sdk/middleware-host-header": "3.969.0",
+        "@aws-sdk/middleware-logger": "3.969.0",
+        "@aws-sdk/middleware-recursion-detection": "3.969.0",
+        "@aws-sdk/middleware-user-agent": "3.970.0",
+        "@aws-sdk/region-config-resolver": "3.969.0",
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-endpoints": "3.970.0",
+        "@aws-sdk/util-user-agent-browser": "3.969.0",
+        "@aws-sdk/util-user-agent-node": "3.970.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/core": "^3.20.6",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/hash-node": "^4.2.8",
+        "@smithy/invalid-dependency": "^4.2.8",
+        "@smithy/middleware-content-length": "^4.2.8",
+        "@smithy/middleware-endpoint": "^4.4.7",
+        "@smithy/middleware-retry": "^4.4.23",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/middleware-stack": "^4.2.8",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-body-length-browser": "^4.2.0",
         "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.5",
-        "@smithy/util-defaults-mode-node": "^4.2.8",
-        "@smithy/util-endpoints": "^3.2.4",
-        "@smithy/util-middleware": "^4.2.4",
-        "@smithy/util-retry": "^4.2.4",
+        "@smithy/util-defaults-mode-browser": "^4.3.22",
+        "@smithy/util-defaults-mode-node": "^4.2.25",
+        "@smithy/util-endpoints": "^3.2.8",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-retry": "^4.2.8",
         "@smithy/util-utf8": "^4.2.0",
-        "@smithy/uuid": "^1.1.0",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/core": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.927.0.tgz",
-      "integrity": "sha512-QOtR9QdjNeC7bId3fc/6MnqoEezvQ2Fk+x6F+Auf7NhOxwYAtB1nvh0k3+gJHWVGpfxN1I8keahRZd79U68/ag==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/xml-builder": "3.921.0",
-        "@smithy/core": "^3.17.2",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/signature-v4": "^5.3.4",
-        "@smithy/smithy-client": "^4.9.2",
-        "@smithy/types": "^4.8.1",
-        "@smithy/util-base64": "^4.3.0",
-        "@smithy/util-middleware": "^4.2.4",
-        "@smithy/util-utf8": "^4.2.0",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/middleware-host-header": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.922.0.tgz",
-      "integrity": "sha512-HPquFgBnq/KqKRVkiuCt97PmWbKtxQ5iUNLEc6FIviqOoZTmaYG3EDsIbuFBz9C4RHJU4FKLmHL2bL3FEId6AA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/middleware-logger": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.922.0.tgz",
-      "integrity": "sha512-AkvYO6b80FBm5/kk2E636zNNcNgjztNNUxpqVx+huyGn9ZqGTzS4kLqW2hO6CBe5APzVtPCtiQsXL24nzuOlAg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/middleware-recursion-detection": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.922.0.tgz",
-      "integrity": "sha512-TtSCEDonV/9R0VhVlCpxZbp/9sxQvTTRKzIf8LxW3uXpby6Wl8IxEciBJlxmSkoqxh542WRcko7NYODlvL/gDA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@aws/lambda-invoke-store": "^0.1.1",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/middleware-user-agent": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.927.0.tgz",
-      "integrity": "sha512-sv6St9EgEka6E7y19UMCsttFBZ8tsmz2sstgRd7LztlX3wJynpeDUhq0gtedguG1lGZY/gDf832k5dqlRLUk7g==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/util-endpoints": "3.922.0",
-        "@smithy/core": "^3.17.2",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/region-config-resolver": {
-      "version": "3.925.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.925.0.tgz",
-      "integrity": "sha512-FOthcdF9oDb1pfQBRCfWPZhJZT5wqpvdAS5aJzB1WDZ+6EuaAhLzLH/fW1slDunIqq1PSQGG3uSnVglVVOvPHQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/config-resolver": "^4.4.2",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/types": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.922.0.tgz",
-      "integrity": "sha512-eLA6XjVobAUAMivvM7DBL79mnHyrm+32TkXNWZua5mnxF+6kQCfblKKJvxMZLGosO53/Ex46ogim8IY5Nbqv2w==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/util-endpoints": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.922.0.tgz",
-      "integrity": "sha512-4ZdQCSuNMY8HMlR1YN4MRDdXuKd+uQTeKIr5/pIM+g3TjInZoj8imvXudjcrFGA63UF3t92YVTkBq88mg58RXQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/types": "^4.8.1",
-        "@smithy/url-parser": "^4.2.4",
-        "@smithy/util-endpoints": "^3.2.4",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/util-user-agent-browser": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.922.0.tgz",
-      "integrity": "sha512-qOJAERZ3Plj1st7M4Q5henl5FRpE30uLm6L9edZqZXGR6c7ry9jzexWamWVpQ4H4xVAVmiO9dIEBAfbq4mduOA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/types": "^4.8.1",
-        "bowser": "^2.11.0",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/util-user-agent-node": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.927.0.tgz",
-      "integrity": "sha512-5Ty+29jBTHg1mathEhLJavzA7A7vmhephRYGenFzo8rApLZh+c+MCAqjddSjdDzcf5FH+ydGGnIrj4iIfbZIMQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/middleware-user-agent": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      },
-      "peerDependencies": {
-        "aws-crt": ">=1.0.0"
-      },
-      "peerDependenciesMeta": {
-        "aws-crt": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/@aws-sdk/xml-builder": {
-      "version": "3.921.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.921.0.tgz",
-      "integrity": "sha512-LVHg0jgjyicKKvpNIEMXIMr1EBViESxcPkqfOlT+X1FkmUMTNZEEVF18tOJg4m4hV5vxtkWcqtr4IEeWa1C41Q==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@smithy/types": "^4.8.1",
-        "fast-xml-parser": "5.2.5",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/client-kendra/node_modules/@smithy/is-array-buffer": {
@@ -3080,36 +2662,6 @@
         "node": ">=18.0.0"
       }
     },
-    "node_modules/@aws-sdk/client-kendra/node_modules/fast-xml-parser": {
-      "version": "5.2.5",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.2.5.tgz",
-      "integrity": "sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "dependencies": {
-        "strnum": "^2.1.0"
-      },
-      "bin": {
-        "fxparser": "src/cli/cli.js"
-      }
-    },
-    "node_modules/@aws-sdk/client-kendra/node_modules/strnum": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.1.1.tgz",
-      "integrity": "sha512-7ZvoFTiCnGxBtDqJ//Cu6fWtZtc7Y3x+QOirG15wztbdngGSkht27o2pyGWrVy0b4WAy3jbKmnoK6g5VlVNUUw==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/@aws-sdk/client-s3": {
       "version": "3.758.0",
       "resolved": "https://registry.npmjs.org/@aws-sdk/client-s3/-/client-s3-3.758.0.tgz",
@@ -3584,52 +3136,52 @@
       }
     },
     "node_modules/@aws-sdk/client-sso": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sso/-/client-sso-3.958.0.tgz",
-      "integrity": "sha512-6qNCIeaMzKzfqasy2nNRuYnMuaMebCcCPP4J2CVGkA8QYMbIVKPlkn9bpB20Vxe6H/r3jtCCLQaOJjVTx/6dXg==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sso/-/client-sso-3.970.0.tgz",
+      "integrity": "sha512-ArmgnOsSCXN5VyIvZb4kSP5hpqlRRHolrMtKQ/0N8Hw4MTb7/IeYHSZzVPNzzkuX6gn5Aj8txoUnDPM8O7pc9g==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/middleware-host-header": "3.957.0",
-        "@aws-sdk/middleware-logger": "3.957.0",
-        "@aws-sdk/middleware-recursion-detection": "3.957.0",
-        "@aws-sdk/middleware-user-agent": "3.957.0",
-        "@aws-sdk/region-config-resolver": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@aws-sdk/util-endpoints": "3.957.0",
-        "@aws-sdk/util-user-agent-browser": "3.957.0",
-        "@aws-sdk/util-user-agent-node": "3.957.0",
-        "@smithy/config-resolver": "^4.4.5",
-        "@smithy/core": "^3.20.0",
-        "@smithy/fetch-http-handler": "^5.3.8",
-        "@smithy/hash-node": "^4.2.7",
-        "@smithy/invalid-dependency": "^4.2.7",
-        "@smithy/middleware-content-length": "^4.2.7",
-        "@smithy/middleware-endpoint": "^4.4.1",
-        "@smithy/middleware-retry": "^4.4.17",
-        "@smithy/middleware-serde": "^4.2.8",
-        "@smithy/middleware-stack": "^4.2.7",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/node-http-handler": "^4.4.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
-        "@smithy/url-parser": "^4.2.7",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/middleware-host-header": "3.969.0",
+        "@aws-sdk/middleware-logger": "3.969.0",
+        "@aws-sdk/middleware-recursion-detection": "3.969.0",
+        "@aws-sdk/middleware-user-agent": "3.970.0",
+        "@aws-sdk/region-config-resolver": "3.969.0",
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-endpoints": "3.970.0",
+        "@aws-sdk/util-user-agent-browser": "3.969.0",
+        "@aws-sdk/util-user-agent-node": "3.970.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/core": "^3.20.6",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/hash-node": "^4.2.8",
+        "@smithy/invalid-dependency": "^4.2.8",
+        "@smithy/middleware-content-length": "^4.2.8",
+        "@smithy/middleware-endpoint": "^4.4.7",
+        "@smithy/middleware-retry": "^4.4.23",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/middleware-stack": "^4.2.8",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-body-length-browser": "^4.2.0",
         "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.16",
-        "@smithy/util-defaults-mode-node": "^4.2.19",
-        "@smithy/util-endpoints": "^3.2.7",
-        "@smithy/util-middleware": "^4.2.7",
-        "@smithy/util-retry": "^4.2.7",
+        "@smithy/util-defaults-mode-browser": "^4.3.22",
+        "@smithy/util-defaults-mode-node": "^4.2.25",
+        "@smithy/util-endpoints": "^3.2.8",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-retry": "^4.2.8",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/client-sso/node_modules/@smithy/is-array-buffer": {
@@ -3671,41 +3223,41 @@
       }
     },
     "node_modules/@aws-sdk/core": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.957.0.tgz",
-      "integrity": "sha512-DrZgDnF1lQZv75a52nFWs6MExihJF2GZB6ETZRqr6jMwhrk2kbJPUtvgbifwcL7AYmVqHQDJBrR/MqkwwFCpiw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@aws-sdk/xml-builder": "3.957.0",
-        "@smithy/core": "^3.20.0",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/signature-v4": "^5.3.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.970.0.tgz",
+      "integrity": "sha512-klpzObldOq8HXzDjDlY6K8rMhYZU6mXRz6P9F9N+tWnjoYFfeBMra8wYApydElTUYQKP1O7RLHwH1OKFfKcqIA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/xml-builder": "3.969.0",
+        "@smithy/core": "^3.20.6",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/signature-v4": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-base64": "^4.3.0",
-        "@smithy/util-middleware": "^4.2.7",
+        "@smithy/util-middleware": "^4.2.8",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/core/node_modules/@aws-sdk/xml-builder": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.957.0.tgz",
-      "integrity": "sha512-Ai5iiQqS8kJ5PjzMhWcLKN0G2yasAkvpnPlq2EnqlIMdB48HsizElt62qcktdxp4neRMyGkFq4NzgmDbXnhRiA==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.969.0.tgz",
+      "integrity": "sha512-BSe4Lx/qdRQQdX8cSSI7Et20vqBspzAjBy8ZmXVoyLkol3y4sXBXzn+BiLtR+oh60ExQn6o2DU4QjdOZbXaKIQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "fast-xml-parser": "5.2.5",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/core/node_modules/@smithy/is-array-buffer": {
@@ -3777,114 +3329,114 @@
       "license": "MIT"
     },
     "node_modules/@aws-sdk/credential-provider-env": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.957.0.tgz",
-      "integrity": "sha512-475mkhGaWCr+Z52fOOVb/q2VHuNvqEDixlYIkeaO6xJ6t9qR0wpLt4hOQaR6zR1wfZV0SlE7d8RErdYq/PByog==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.970.0.tgz",
+      "integrity": "sha512-rtVzXzEtAfZBfh+lq3DAvRar4c3jyptweOAJR2DweyXx71QSMY+O879hjpMwES7jl07a3O1zlnFIDo4KP/96kQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-http": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.957.0.tgz",
-      "integrity": "sha512-8dS55QHRxXgJlHkEYaCGZIhieCs9NU1HU1BcqQ4RfUdSsfRdxxktqUKgCnBnOOn0oD3PPA8cQOCAVgIyRb3Rfw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/fetch-http-handler": "^5.3.8",
-        "@smithy/node-http-handler": "^4.4.7",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
-        "@smithy/util-stream": "^4.5.8",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.970.0.tgz",
+      "integrity": "sha512-CjDbWL7JxjLc9ZxQilMusWSw05yRvUJKRpz59IxDpWUnSMHC9JMMUUkOy5Izk8UAtzi6gupRWArp4NG4labt9Q==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/util-stream": "^4.5.10",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-ini": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.958.0.tgz",
-      "integrity": "sha512-u7twvZa1/6GWmPBZs6DbjlegCoNzNjBsMS/6fvh5quByYrcJr/uLd8YEr7S3UIq4kR/gSnHqcae7y2nL2bqZdg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/credential-provider-env": "3.957.0",
-        "@aws-sdk/credential-provider-http": "3.957.0",
-        "@aws-sdk/credential-provider-login": "3.958.0",
-        "@aws-sdk/credential-provider-process": "3.957.0",
-        "@aws-sdk/credential-provider-sso": "3.958.0",
-        "@aws-sdk/credential-provider-web-identity": "3.958.0",
-        "@aws-sdk/nested-clients": "3.958.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/credential-provider-imds": "^4.2.7",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/shared-ini-file-loader": "^4.4.2",
-        "@smithy/types": "^4.11.0",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.970.0.tgz",
+      "integrity": "sha512-L5R1hN1FY/xCmH65DOYMXl8zqCFiAq0bAq8tJZU32mGjIl1GzGeOkeDa9c461d81o7gsQeYzXyqFD3vXEbJ+kQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/credential-provider-env": "3.970.0",
+        "@aws-sdk/credential-provider-http": "3.970.0",
+        "@aws-sdk/credential-provider-login": "3.970.0",
+        "@aws-sdk/credential-provider-process": "3.970.0",
+        "@aws-sdk/credential-provider-sso": "3.970.0",
+        "@aws-sdk/credential-provider-web-identity": "3.970.0",
+        "@aws-sdk/nested-clients": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/credential-provider-imds": "^4.2.8",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/shared-ini-file-loader": "^4.4.3",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-ini/node_modules/@aws-sdk/nested-clients": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.958.0.tgz",
-      "integrity": "sha512-/KuCcS8b5TpQXkYOrPLYytrgxBhv81+5pChkOlhegbeHttjM69pyUpQVJqyfDM/A7wPLnDrzCAnk4zaAOkY0Nw==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.970.0.tgz",
+      "integrity": "sha512-RIl8s4DCa31MXtRFw23iU90OqEoWuwQxiZOZshzsPtjyrunhHFjyZJEqb+vuQcYd1o22SMaYa3lPJRp64OH35Q==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/middleware-host-header": "3.957.0",
-        "@aws-sdk/middleware-logger": "3.957.0",
-        "@aws-sdk/middleware-recursion-detection": "3.957.0",
-        "@aws-sdk/middleware-user-agent": "3.957.0",
-        "@aws-sdk/region-config-resolver": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@aws-sdk/util-endpoints": "3.957.0",
-        "@aws-sdk/util-user-agent-browser": "3.957.0",
-        "@aws-sdk/util-user-agent-node": "3.957.0",
-        "@smithy/config-resolver": "^4.4.5",
-        "@smithy/core": "^3.20.0",
-        "@smithy/fetch-http-handler": "^5.3.8",
-        "@smithy/hash-node": "^4.2.7",
-        "@smithy/invalid-dependency": "^4.2.7",
-        "@smithy/middleware-content-length": "^4.2.7",
-        "@smithy/middleware-endpoint": "^4.4.1",
-        "@smithy/middleware-retry": "^4.4.17",
-        "@smithy/middleware-serde": "^4.2.8",
-        "@smithy/middleware-stack": "^4.2.7",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/node-http-handler": "^4.4.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
-        "@smithy/url-parser": "^4.2.7",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/middleware-host-header": "3.969.0",
+        "@aws-sdk/middleware-logger": "3.969.0",
+        "@aws-sdk/middleware-recursion-detection": "3.969.0",
+        "@aws-sdk/middleware-user-agent": "3.970.0",
+        "@aws-sdk/region-config-resolver": "3.969.0",
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-endpoints": "3.970.0",
+        "@aws-sdk/util-user-agent-browser": "3.969.0",
+        "@aws-sdk/util-user-agent-node": "3.970.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/core": "^3.20.6",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/hash-node": "^4.2.8",
+        "@smithy/invalid-dependency": "^4.2.8",
+        "@smithy/middleware-content-length": "^4.2.8",
+        "@smithy/middleware-endpoint": "^4.4.7",
+        "@smithy/middleware-retry": "^4.4.23",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/middleware-stack": "^4.2.8",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-body-length-browser": "^4.2.0",
         "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.16",
-        "@smithy/util-defaults-mode-node": "^4.2.19",
-        "@smithy/util-endpoints": "^3.2.7",
-        "@smithy/util-middleware": "^4.2.7",
-        "@smithy/util-retry": "^4.2.7",
+        "@smithy/util-defaults-mode-browser": "^4.3.22",
+        "@smithy/util-defaults-mode-node": "^4.2.25",
+        "@smithy/util-endpoints": "^3.2.8",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-retry": "^4.2.8",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-ini/node_modules/@smithy/is-array-buffer": {
@@ -3926,71 +3478,71 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-login": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.958.0.tgz",
-      "integrity": "sha512-sDwtDnBSszUIbzbOORGh5gmXGl9aK25+BHb4gb1aVlqB+nNL2+IUEJA62+CE55lXSH8qXF90paivjK8tOHTwPA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/nested-clients": "3.958.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/shared-ini-file-loader": "^4.4.2",
-        "@smithy/types": "^4.11.0",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.970.0.tgz",
+      "integrity": "sha512-C+1dcLr+p2E+9hbHyvrQTZ46Kj4vC2RoP6N935GEukHQa637ZjXs8VlyHJ2xTvbvwwLZQNiu56Cx7o/OFOqw1A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/nested-clients": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/shared-ini-file-loader": "^4.4.3",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-login/node_modules/@aws-sdk/nested-clients": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.958.0.tgz",
-      "integrity": "sha512-/KuCcS8b5TpQXkYOrPLYytrgxBhv81+5pChkOlhegbeHttjM69pyUpQVJqyfDM/A7wPLnDrzCAnk4zaAOkY0Nw==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.970.0.tgz",
+      "integrity": "sha512-RIl8s4DCa31MXtRFw23iU90OqEoWuwQxiZOZshzsPtjyrunhHFjyZJEqb+vuQcYd1o22SMaYa3lPJRp64OH35Q==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/middleware-host-header": "3.957.0",
-        "@aws-sdk/middleware-logger": "3.957.0",
-        "@aws-sdk/middleware-recursion-detection": "3.957.0",
-        "@aws-sdk/middleware-user-agent": "3.957.0",
-        "@aws-sdk/region-config-resolver": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@aws-sdk/util-endpoints": "3.957.0",
-        "@aws-sdk/util-user-agent-browser": "3.957.0",
-        "@aws-sdk/util-user-agent-node": "3.957.0",
-        "@smithy/config-resolver": "^4.4.5",
-        "@smithy/core": "^3.20.0",
-        "@smithy/fetch-http-handler": "^5.3.8",
-        "@smithy/hash-node": "^4.2.7",
-        "@smithy/invalid-dependency": "^4.2.7",
-        "@smithy/middleware-content-length": "^4.2.7",
-        "@smithy/middleware-endpoint": "^4.4.1",
-        "@smithy/middleware-retry": "^4.4.17",
-        "@smithy/middleware-serde": "^4.2.8",
-        "@smithy/middleware-stack": "^4.2.7",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/node-http-handler": "^4.4.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
-        "@smithy/url-parser": "^4.2.7",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/middleware-host-header": "3.969.0",
+        "@aws-sdk/middleware-logger": "3.969.0",
+        "@aws-sdk/middleware-recursion-detection": "3.969.0",
+        "@aws-sdk/middleware-user-agent": "3.970.0",
+        "@aws-sdk/region-config-resolver": "3.969.0",
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-endpoints": "3.970.0",
+        "@aws-sdk/util-user-agent-browser": "3.969.0",
+        "@aws-sdk/util-user-agent-node": "3.970.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/core": "^3.20.6",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/hash-node": "^4.2.8",
+        "@smithy/invalid-dependency": "^4.2.8",
+        "@smithy/middleware-content-length": "^4.2.8",
+        "@smithy/middleware-endpoint": "^4.4.7",
+        "@smithy/middleware-retry": "^4.4.23",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/middleware-stack": "^4.2.8",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-body-length-browser": "^4.2.0",
         "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.16",
-        "@smithy/util-defaults-mode-node": "^4.2.19",
-        "@smithy/util-endpoints": "^3.2.7",
-        "@smithy/util-middleware": "^4.2.7",
-        "@smithy/util-retry": "^4.2.7",
+        "@smithy/util-defaults-mode-browser": "^4.3.22",
+        "@smithy/util-defaults-mode-node": "^4.2.25",
+        "@smithy/util-endpoints": "^3.2.8",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-retry": "^4.2.8",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-login/node_modules/@smithy/is-array-buffer": {
@@ -4032,610 +3584,129 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-node": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.927.0.tgz",
-      "integrity": "sha512-M6BLrI+WHQ7PUY1aYu2OkI/KEz9aca+05zyycACk7cnlHlZaQ3vTFd0xOqF+A1qaenQBuxApOTs7Z21pnPUo9Q==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/credential-provider-env": "3.927.0",
-        "@aws-sdk/credential-provider-http": "3.927.0",
-        "@aws-sdk/credential-provider-ini": "3.927.0",
-        "@aws-sdk/credential-provider-process": "3.927.0",
-        "@aws-sdk/credential-provider-sso": "3.927.0",
-        "@aws-sdk/credential-provider-web-identity": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/credential-provider-imds": "^4.2.4",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/shared-ini-file-loader": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/client-sso": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sso/-/client-sso-3.927.0.tgz",
-      "integrity": "sha512-O+e+jo6ei7U/BA7lhT4mmPCWmeR9dFgGUHVwCwJ5c/nCaSaHQ+cb7j2h8WPXERu0LhPSFyj1aD5dk3jFIwNlbg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-crypto/sha256-browser": "5.2.0",
-        "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/middleware-host-header": "3.922.0",
-        "@aws-sdk/middleware-logger": "3.922.0",
-        "@aws-sdk/middleware-recursion-detection": "3.922.0",
-        "@aws-sdk/middleware-user-agent": "3.927.0",
-        "@aws-sdk/region-config-resolver": "3.925.0",
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/util-endpoints": "3.922.0",
-        "@aws-sdk/util-user-agent-browser": "3.922.0",
-        "@aws-sdk/util-user-agent-node": "3.927.0",
-        "@smithy/config-resolver": "^4.4.2",
-        "@smithy/core": "^3.17.2",
-        "@smithy/fetch-http-handler": "^5.3.5",
-        "@smithy/hash-node": "^4.2.4",
-        "@smithy/invalid-dependency": "^4.2.4",
-        "@smithy/middleware-content-length": "^4.2.4",
-        "@smithy/middleware-endpoint": "^4.3.6",
-        "@smithy/middleware-retry": "^4.4.6",
-        "@smithy/middleware-serde": "^4.2.4",
-        "@smithy/middleware-stack": "^4.2.4",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/node-http-handler": "^4.4.4",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/smithy-client": "^4.9.2",
-        "@smithy/types": "^4.8.1",
-        "@smithy/url-parser": "^4.2.4",
-        "@smithy/util-base64": "^4.3.0",
-        "@smithy/util-body-length-browser": "^4.2.0",
-        "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.5",
-        "@smithy/util-defaults-mode-node": "^4.2.8",
-        "@smithy/util-endpoints": "^3.2.4",
-        "@smithy/util-middleware": "^4.2.4",
-        "@smithy/util-retry": "^4.2.4",
-        "@smithy/util-utf8": "^4.2.0",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/core": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.927.0.tgz",
-      "integrity": "sha512-QOtR9QdjNeC7bId3fc/6MnqoEezvQ2Fk+x6F+Auf7NhOxwYAtB1nvh0k3+gJHWVGpfxN1I8keahRZd79U68/ag==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/xml-builder": "3.921.0",
-        "@smithy/core": "^3.17.2",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/signature-v4": "^5.3.4",
-        "@smithy/smithy-client": "^4.9.2",
-        "@smithy/types": "^4.8.1",
-        "@smithy/util-base64": "^4.3.0",
-        "@smithy/util-middleware": "^4.2.4",
-        "@smithy/util-utf8": "^4.2.0",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-env": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.927.0.tgz",
-      "integrity": "sha512-bAllBpmaWINpf0brXQWh/hjkBctapknZPYb3FJRlBHytEGHi7TpgqBXi8riT0tc6RVWChhnw58rQz22acOmBuw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-http": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.927.0.tgz",
-      "integrity": "sha512-jEvb8C7tuRBFhe8vZY9vm9z6UQnbP85IMEt3Qiz0dxAd341Hgu0lOzMv5mSKQ5yBnTLq+t3FPKgD9tIiHLqxSQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/fetch-http-handler": "^5.3.5",
-        "@smithy/node-http-handler": "^4.4.4",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/smithy-client": "^4.9.2",
-        "@smithy/types": "^4.8.1",
-        "@smithy/util-stream": "^4.5.5",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-ini": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.927.0.tgz",
-      "integrity": "sha512-WvliaKYT7bNLiryl/FsZyUwRGBo/CWtboekZWvSfloAb+0SKFXWjmxt3z+Y260aoaPm/LIzEyslDHfxqR9xCJQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/credential-provider-env": "3.927.0",
-        "@aws-sdk/credential-provider-http": "3.927.0",
-        "@aws-sdk/credential-provider-process": "3.927.0",
-        "@aws-sdk/credential-provider-sso": "3.927.0",
-        "@aws-sdk/credential-provider-web-identity": "3.927.0",
-        "@aws-sdk/nested-clients": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/credential-provider-imds": "^4.2.4",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/shared-ini-file-loader": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-process": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.927.0.tgz",
-      "integrity": "sha512-rvqdZIN3TRhLKssufN5G2EWLMBct3ZebOBdwr0tuOoPEdaYflyXYYUScu+Beb541CKfXaFnEOlZokq12r7EPcQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/shared-ini-file-loader": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-sso": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.927.0.tgz",
-      "integrity": "sha512-XrCuncze/kxZE6WYEWtNMGtrJvJtyhUqav4xQQ9PJcNjxCUYiIRv7Gwkt7cuwJ1HS+akQj+JiZmljAg97utfDw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/client-sso": "3.927.0",
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/token-providers": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/shared-ini-file-loader": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-web-identity": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.927.0.tgz",
-      "integrity": "sha512-Oh/aFYjZQsIiZ2PQEgTNvqEE/mmOYxZKZzXV86qrU3jBUfUUBvprUZc684nBqJbSKPwM5jCZtxiRYh+IrZDE7A==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/nested-clients": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/shared-ini-file-loader": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/middleware-host-header": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.922.0.tgz",
-      "integrity": "sha512-HPquFgBnq/KqKRVkiuCt97PmWbKtxQ5iUNLEc6FIviqOoZTmaYG3EDsIbuFBz9C4RHJU4FKLmHL2bL3FEId6AA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/middleware-logger": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.922.0.tgz",
-      "integrity": "sha512-AkvYO6b80FBm5/kk2E636zNNcNgjztNNUxpqVx+huyGn9ZqGTzS4kLqW2hO6CBe5APzVtPCtiQsXL24nzuOlAg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/middleware-recursion-detection": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.922.0.tgz",
-      "integrity": "sha512-TtSCEDonV/9R0VhVlCpxZbp/9sxQvTTRKzIf8LxW3uXpby6Wl8IxEciBJlxmSkoqxh542WRcko7NYODlvL/gDA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@aws/lambda-invoke-store": "^0.1.1",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/middleware-user-agent": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.927.0.tgz",
-      "integrity": "sha512-sv6St9EgEka6E7y19UMCsttFBZ8tsmz2sstgRd7LztlX3wJynpeDUhq0gtedguG1lGZY/gDf832k5dqlRLUk7g==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/util-endpoints": "3.922.0",
-        "@smithy/core": "^3.17.2",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/nested-clients": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.927.0.tgz",
-      "integrity": "sha512-Oy6w7+fzIdr10DhF/HpfVLy6raZFTdiE7pxS1rvpuj2JgxzW2y6urm2sYf3eLOpMiHyuG4xUBwFiJpU9CCEvJA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-crypto/sha256-browser": "5.2.0",
-        "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/middleware-host-header": "3.922.0",
-        "@aws-sdk/middleware-logger": "3.922.0",
-        "@aws-sdk/middleware-recursion-detection": "3.922.0",
-        "@aws-sdk/middleware-user-agent": "3.927.0",
-        "@aws-sdk/region-config-resolver": "3.925.0",
-        "@aws-sdk/types": "3.922.0",
-        "@aws-sdk/util-endpoints": "3.922.0",
-        "@aws-sdk/util-user-agent-browser": "3.922.0",
-        "@aws-sdk/util-user-agent-node": "3.927.0",
-        "@smithy/config-resolver": "^4.4.2",
-        "@smithy/core": "^3.17.2",
-        "@smithy/fetch-http-handler": "^5.3.5",
-        "@smithy/hash-node": "^4.2.4",
-        "@smithy/invalid-dependency": "^4.2.4",
-        "@smithy/middleware-content-length": "^4.2.4",
-        "@smithy/middleware-endpoint": "^4.3.6",
-        "@smithy/middleware-retry": "^4.4.6",
-        "@smithy/middleware-serde": "^4.2.4",
-        "@smithy/middleware-stack": "^4.2.4",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/node-http-handler": "^4.4.4",
-        "@smithy/protocol-http": "^5.3.4",
-        "@smithy/smithy-client": "^4.9.2",
-        "@smithy/types": "^4.8.1",
-        "@smithy/url-parser": "^4.2.4",
-        "@smithy/util-base64": "^4.3.0",
-        "@smithy/util-body-length-browser": "^4.2.0",
-        "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.5",
-        "@smithy/util-defaults-mode-node": "^4.2.8",
-        "@smithy/util-endpoints": "^3.2.4",
-        "@smithy/util-middleware": "^4.2.4",
-        "@smithy/util-retry": "^4.2.4",
-        "@smithy/util-utf8": "^4.2.0",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/region-config-resolver": {
-      "version": "3.925.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.925.0.tgz",
-      "integrity": "sha512-FOthcdF9oDb1pfQBRCfWPZhJZT5wqpvdAS5aJzB1WDZ+6EuaAhLzLH/fW1slDunIqq1PSQGG3uSnVglVVOvPHQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/config-resolver": "^4.4.2",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/token-providers": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.927.0.tgz",
-      "integrity": "sha512-JRdaprkZjZ6EY4WVwsZaEjPUj9W9vqlSaFDm4oD+IbwlY4GjAXuUQK6skKcvVyoOsSTvJp/CaveSws2FiWUp9Q==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "3.927.0",
-        "@aws-sdk/nested-clients": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/property-provider": "^4.2.4",
-        "@smithy/shared-ini-file-loader": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/types": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.922.0.tgz",
-      "integrity": "sha512-eLA6XjVobAUAMivvM7DBL79mnHyrm+32TkXNWZua5mnxF+6kQCfblKKJvxMZLGosO53/Ex46ogim8IY5Nbqv2w==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/util-endpoints": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.922.0.tgz",
-      "integrity": "sha512-4ZdQCSuNMY8HMlR1YN4MRDdXuKd+uQTeKIr5/pIM+g3TjInZoj8imvXudjcrFGA63UF3t92YVTkBq88mg58RXQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/types": "^4.8.1",
-        "@smithy/url-parser": "^4.2.4",
-        "@smithy/util-endpoints": "^3.2.4",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/util-user-agent-browser": {
-      "version": "3.922.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.922.0.tgz",
-      "integrity": "sha512-qOJAERZ3Plj1st7M4Q5henl5FRpE30uLm6L9edZqZXGR6c7ry9jzexWamWVpQ4H4xVAVmiO9dIEBAfbq4mduOA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/types": "^4.8.1",
-        "bowser": "^2.11.0",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/util-user-agent-node": {
-      "version": "3.927.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.927.0.tgz",
-      "integrity": "sha512-5Ty+29jBTHg1mathEhLJavzA7A7vmhephRYGenFzo8rApLZh+c+MCAqjddSjdDzcf5FH+ydGGnIrj4iIfbZIMQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/middleware-user-agent": "3.927.0",
-        "@aws-sdk/types": "3.922.0",
-        "@smithy/node-config-provider": "^4.3.4",
-        "@smithy/types": "^4.8.1",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      },
-      "peerDependencies": {
-        "aws-crt": ">=1.0.0"
-      },
-      "peerDependenciesMeta": {
-        "aws-crt": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/xml-builder": {
-      "version": "3.921.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.921.0.tgz",
-      "integrity": "sha512-LVHg0jgjyicKKvpNIEMXIMr1EBViESxcPkqfOlT+X1FkmUMTNZEEVF18tOJg4m4hV5vxtkWcqtr4IEeWa1C41Q==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@smithy/types": "^4.8.1",
-        "fast-xml-parser": "5.2.5",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@smithy/is-array-buffer": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-4.2.0.tgz",
-      "integrity": "sha512-DZZZBvC7sjcYh4MazJSGiWMI2L7E0oCiRHREDzIxi/M2LY79/21iXt6aPLHge82wi5LsuRF5A06Ds3+0mlh6CQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@smithy/util-buffer-from": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-4.2.0.tgz",
-      "integrity": "sha512-kAY9hTKulTNevM2nlRtxAG2FQ3B2OR6QIrPY3zE5LqJy1oxzmgBGsHLWTcNhWXKchgA0WHW+mZkQrng/pgcCew==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.970.0.tgz",
+      "integrity": "sha512-nMM0eeVuiLtw1taLRQ+H/H5Qp11rva8ILrzAQXSvlbDeVmbc7d8EeW5Q2xnCJu+3U+2JNZ1uxqIL22pB2sLEMA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/is-array-buffer": "^4.2.0",
+        "@aws-sdk/credential-provider-env": "3.970.0",
+        "@aws-sdk/credential-provider-http": "3.970.0",
+        "@aws-sdk/credential-provider-ini": "3.970.0",
+        "@aws-sdk/credential-provider-process": "3.970.0",
+        "@aws-sdk/credential-provider-sso": "3.970.0",
+        "@aws-sdk/credential-provider-web-identity": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/credential-provider-imds": "^4.2.8",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/shared-ini-file-loader": "^4.4.3",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/@smithy/util-utf8": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-4.2.0.tgz",
-      "integrity": "sha512-zBPfuzoI8xyBtR2P6WQj63Rz8i3AmfAaJLuNG8dWsfvPe8lO4aCPYLn879mEgHndZH1zQ2oXmG8O1GGzzaoZiw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@smithy/util-buffer-from": "^4.2.0",
-        "tslib": "^2.6.2"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/fast-xml-parser": {
-      "version": "5.2.5",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.2.5.tgz",
-      "integrity": "sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "dependencies": {
-        "strnum": "^2.1.0"
-      },
-      "bin": {
-        "fxparser": "src/cli/cli.js"
+        "node": ">=20.0.0"
       }
     },
-    "node_modules/@aws-sdk/credential-provider-node/node_modules/strnum": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.1.1.tgz",
-      "integrity": "sha512-7ZvoFTiCnGxBtDqJ//Cu6fWtZtc7Y3x+QOirG15wztbdngGSkht27o2pyGWrVy0b4WAy3jbKmnoK6g5VlVNUUw==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/@aws-sdk/credential-provider-process": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.957.0.tgz",
-      "integrity": "sha512-/KIz9kadwbeLy6SKvT79W81Y+hb/8LMDyeloA2zhouE28hmne+hLn0wNCQXAAupFFlYOAtZR2NTBs7HBAReJlg==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.970.0.tgz",
+      "integrity": "sha512-0XeT8OaT9iMA62DFV9+m6mZfJhrD0WNKf4IvsIpj2Z7XbaYfz3CoDDvNoALf3rPY9NzyMHgDxOspmqdvXP00mw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/shared-ini-file-loader": "^4.4.2",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/shared-ini-file-loader": "^4.4.3",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-sso": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.958.0.tgz",
-      "integrity": "sha512-CBYHJ5ufp8HC4q+o7IJejCUctJXWaksgpmoFpXerbjAso7/Fg7LLUu9inXVOxlHKLlvYekDXjIUBXDJS2WYdgg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/client-sso": "3.958.0",
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/token-providers": "3.958.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/shared-ini-file-loader": "^4.4.2",
-        "@smithy/types": "^4.11.0",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.970.0.tgz",
+      "integrity": "sha512-ROb+Aijw8nzkB14Nh2XRH861++SeTZykUzk427y8YtgTLxjAOjgDTchDUFW2Fx6GFWkSjqJ3sY7SZyb33IqyFw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/client-sso": "3.970.0",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/token-providers": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/shared-ini-file-loader": "^4.4.3",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-web-identity": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.958.0.tgz",
-      "integrity": "sha512-dgnvwjMq5Y66WozzUzxNkCFap+umHUtqMMKlr8z/vl9NYMLem/WUbWNpFFOVFWquXikc+ewtpBMR4KEDXfZ+KA==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.970.0.tgz",
+      "integrity": "sha512-r7tnYJJg+B6QvnsRHSW5vDol+ks6n+5jBZdCFdGyK63hjcMRMqHx59zEH8O47UR1PFv5hS2Q3uGz6HXvVtP40Q==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/nested-clients": "3.958.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/shared-ini-file-loader": "^4.4.2",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/nested-clients": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/shared-ini-file-loader": "^4.4.3",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-web-identity/node_modules/@aws-sdk/nested-clients": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.958.0.tgz",
-      "integrity": "sha512-/KuCcS8b5TpQXkYOrPLYytrgxBhv81+5pChkOlhegbeHttjM69pyUpQVJqyfDM/A7wPLnDrzCAnk4zaAOkY0Nw==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.970.0.tgz",
+      "integrity": "sha512-RIl8s4DCa31MXtRFw23iU90OqEoWuwQxiZOZshzsPtjyrunhHFjyZJEqb+vuQcYd1o22SMaYa3lPJRp64OH35Q==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/middleware-host-header": "3.957.0",
-        "@aws-sdk/middleware-logger": "3.957.0",
-        "@aws-sdk/middleware-recursion-detection": "3.957.0",
-        "@aws-sdk/middleware-user-agent": "3.957.0",
-        "@aws-sdk/region-config-resolver": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@aws-sdk/util-endpoints": "3.957.0",
-        "@aws-sdk/util-user-agent-browser": "3.957.0",
-        "@aws-sdk/util-user-agent-node": "3.957.0",
-        "@smithy/config-resolver": "^4.4.5",
-        "@smithy/core": "^3.20.0",
-        "@smithy/fetch-http-handler": "^5.3.8",
-        "@smithy/hash-node": "^4.2.7",
-        "@smithy/invalid-dependency": "^4.2.7",
-        "@smithy/middleware-content-length": "^4.2.7",
-        "@smithy/middleware-endpoint": "^4.4.1",
-        "@smithy/middleware-retry": "^4.4.17",
-        "@smithy/middleware-serde": "^4.2.8",
-        "@smithy/middleware-stack": "^4.2.7",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/node-http-handler": "^4.4.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
-        "@smithy/url-parser": "^4.2.7",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/middleware-host-header": "3.969.0",
+        "@aws-sdk/middleware-logger": "3.969.0",
+        "@aws-sdk/middleware-recursion-detection": "3.969.0",
+        "@aws-sdk/middleware-user-agent": "3.970.0",
+        "@aws-sdk/region-config-resolver": "3.969.0",
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-endpoints": "3.970.0",
+        "@aws-sdk/util-user-agent-browser": "3.969.0",
+        "@aws-sdk/util-user-agent-node": "3.970.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/core": "^3.20.6",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/hash-node": "^4.2.8",
+        "@smithy/invalid-dependency": "^4.2.8",
+        "@smithy/middleware-content-length": "^4.2.8",
+        "@smithy/middleware-endpoint": "^4.4.7",
+        "@smithy/middleware-retry": "^4.4.23",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/middleware-stack": "^4.2.8",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-body-length-browser": "^4.2.0",
         "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.16",
-        "@smithy/util-defaults-mode-node": "^4.2.19",
-        "@smithy/util-endpoints": "^3.2.7",
-        "@smithy/util-middleware": "^4.2.7",
-        "@smithy/util-retry": "^4.2.7",
+        "@smithy/util-defaults-mode-browser": "^4.3.22",
+        "@smithy/util-defaults-mode-node": "^4.2.25",
+        "@smithy/util-endpoints": "^3.2.8",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-retry": "^4.2.8",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/credential-provider-web-identity/node_modules/@smithy/is-array-buffer": {
@@ -4677,18 +3748,18 @@
       }
     },
     "node_modules/@aws-sdk/eventstream-handler-node": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/eventstream-handler-node/-/eventstream-handler-node-3.957.0.tgz",
-      "integrity": "sha512-X3e/PBEl66efNCRR840IU2HM4oLMaP/Krc1w7vEqgKKhIbyiLRJ43NSrxNEYadQ19P/U0U7JHMCC9HbwhIMTeg==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/eventstream-handler-node/-/eventstream-handler-node-3.969.0.tgz",
+      "integrity": "sha512-bU3nB+zcNLz9zellbRR7nYxUD1Zz3W2WK9P7CqZcN0RDga/fTW3CSq6+uWAmSJfCTzUoLKNzx4bIuWYu/ct/MA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/eventstream-codec": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/eventstream-codec": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/middleware-bucket-endpoint": {
@@ -4723,18 +3794,18 @@
       }
     },
     "node_modules/@aws-sdk/middleware-eventstream": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-eventstream/-/middleware-eventstream-3.957.0.tgz",
-      "integrity": "sha512-zFAx12yGEJcf35cnlv4zepqxZA0Z3orrhQdN7mjzvbHQGqDX+7gAnKEyTEsYdCD5ICZHuHxvhEnfE+pVIx0e7A==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-eventstream/-/middleware-eventstream-3.969.0.tgz",
+      "integrity": "sha512-gLWuRGZUR4gM5tAAII4Z6zga5wOXWhLSkZLdC2i/K30GlfjJhiXyJodOyAHezxWm8WjUxP9anJq7vlOIQwVKYw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/middleware-expect-continue": {
@@ -4863,18 +3934,18 @@
       }
     },
     "node_modules/@aws-sdk/middleware-host-header": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.957.0.tgz",
-      "integrity": "sha512-BBgKawVyfQZglEkNTuBBdC3azlyqNXsvvN4jPkWAiNYcY0x1BasaJFl+7u/HisfULstryweJq/dAvIZIxzlZaA==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.969.0.tgz",
+      "integrity": "sha512-AWa4rVsAfBR4xqm7pybQ8sUNJYnjyP/bJjfAw34qPuh3M9XrfGbAHG0aiAfQGrBnmS28jlO6Kz69o+c6PRw1dw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/middleware-location-constraint": {
@@ -4905,42 +3976,33 @@
       }
     },
     "node_modules/@aws-sdk/middleware-logger": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.957.0.tgz",
-      "integrity": "sha512-w1qfKrSKHf9b5a8O76yQ1t69u6NWuBjr5kBX+jRWFx/5mu6RLpqERXRpVJxfosbep7k3B+DSB5tZMZ82GKcJtQ==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.969.0.tgz",
+      "integrity": "sha512-xwrxfip7Y2iTtCMJ+iifN1E1XMOuhxIHY9DreMCvgdl4r7+48x2S1bCYPWH3eNY85/7CapBWdJ8cerpEl12sQQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/middleware-recursion-detection": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.957.0.tgz",
-      "integrity": "sha512-D2H/WoxhAZNYX+IjkKTdOhOkWQaK0jjJrDBj56hKjU5c9ltQiaX/1PqJ4dfjHntEshJfu0w+E6XJ+/6A6ILBBA==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.969.0.tgz",
+      "integrity": "sha512-2r3PuNquU3CcS1Am4vn/KHFwLi8QFjMdA/R+CRDXT4AFO/0qxevF/YStW3gAKntQIgWgQV8ZdEtKAoJvLI4UWg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "3.957.0",
+        "@aws-sdk/types": "3.969.0",
         "@aws/lambda-invoke-store": "^0.2.2",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
-      }
-    },
-    "node_modules/@aws-sdk/middleware-recursion-detection/node_modules/@aws/lambda-invoke-store": {
-      "version": "0.2.2",
-      "resolved": "https://registry.npmjs.org/@aws/lambda-invoke-store/-/lambda-invoke-store-0.2.2.tgz",
-      "integrity": "sha512-C0NBLsIqzDIae8HFw9YIrIBsbc0xTiOtt7fAukGPnqQ/+zZNaq+4jhuccltK0QuWHBnNm/a6kLIRA6GFiM10eg==",
-      "license": "Apache-2.0",
-      "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/middleware-sdk-s3": {
@@ -5069,37 +4131,37 @@
       }
     },
     "node_modules/@aws-sdk/middleware-user-agent": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.957.0.tgz",
-      "integrity": "sha512-50vcHu96XakQnIvlKJ1UoltrFODjsq2KvtTgHiPFteUS884lQnK5VC/8xd1Msz/1ONpLMzdCVproCQqhDTtMPQ==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.970.0.tgz",
+      "integrity": "sha512-dnSJGGUGSFGEX2NzvjwSefH+hmZQ347AwbLhAsi0cdnISSge+pcGfOFrJt2XfBIypwFe27chQhlfuf/gWdzpZg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@aws-sdk/util-endpoints": "3.957.0",
-        "@smithy/core": "^3.20.0",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-endpoints": "3.970.0",
+        "@smithy/core": "^3.20.6",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/middleware-websocket": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-websocket/-/middleware-websocket-3.957.0.tgz",
-      "integrity": "sha512-/VyCEDTS56V2UZ+nNUDhZ9fuMgrKkO+9Od47umpgn9Mq7BZ7Cw9emJkvMSNNZAbtMeDaHN4lUYmmF8XhYgJOPQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@aws-sdk/util-format-url": "3.957.0",
-        "@smithy/eventstream-codec": "^4.2.7",
-        "@smithy/eventstream-serde-browser": "^4.2.7",
-        "@smithy/fetch-http-handler": "^5.3.8",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/signature-v4": "^5.3.7",
-        "@smithy/types": "^4.11.0",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-websocket/-/middleware-websocket-3.969.0.tgz",
+      "integrity": "sha512-Zdd9sGDkZgOMpySpkJuJT1bi3D5Zj0eTvVLJxob1nnj5usXenL58B/3MRPKe7yWJheHxLr67mR/s9vLnGcIsRQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-format-url": "3.969.0",
+        "@smithy/eventstream-codec": "^4.2.8",
+        "@smithy/eventstream-serde-browser": "^4.2.8",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/signature-v4": "^5.3.8",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-hex-encoding": "^4.2.0",
         "tslib": "^2.6.2"
       },
@@ -5108,18 +4170,18 @@
       }
     },
     "node_modules/@aws-sdk/middleware-websocket/node_modules/@aws-sdk/util-format-url": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-format-url/-/util-format-url-3.957.0.tgz",
-      "integrity": "sha512-Yyo/tlc0iGFGTPPkuxub1uRAv6XrnVnvSNjslZh5jIYA8GZoeEFPgJa3Qdu0GUS/YwoK8GOLnnaL9h/eH5LDJQ==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-format-url/-/util-format-url-3.969.0.tgz",
+      "integrity": "sha512-C7ZiE8orcrEF9In+XDlIKrZhMjp0HCPUH6u74pgadE3T2LRre5TmOQcTt785/wVS2G0we9cxkjlzMrfDsfPvFw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/querystring-builder": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/querystring-builder": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/nested-clients": {
@@ -5361,19 +4423,19 @@
       }
     },
     "node_modules/@aws-sdk/region-config-resolver": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.957.0.tgz",
-      "integrity": "sha512-V8iY3blh8l2iaOqXWW88HbkY5jDoWjH56jonprG/cpyqqCnprvpMUZWPWYJoI8rHRf2bqzZeql1slxG6EnKI7A==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.969.0.tgz",
+      "integrity": "sha512-scj9OXqKpcjJ4jsFLtqYWz3IaNvNOQTFFvEY8XMJXTv+3qF5I7/x9SJtKzTRJEBF3spjzBUYPtGFbs9sj4fisQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/config-resolver": "^4.4.5",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/s3-request-presigner": {
@@ -5439,70 +4501,70 @@
       }
     },
     "node_modules/@aws-sdk/token-providers": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.958.0.tgz",
-      "integrity": "sha512-UCj7lQXODduD1myNJQkV+LYcGYJ9iiMggR8ow8Hva1g3A/Na5imNXzz6O67k7DAee0TYpy+gkNw+SizC6min8Q==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.970.0.tgz",
+      "integrity": "sha512-YO8KgJecxHIFMhfoP880q51VXFL9V1ELywK5yzVEqzyrwqoG93IUmnTygBUylQrfkbH+QqS0FxEdgwpP3fcwoQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/nested-clients": "3.958.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/shared-ini-file-loader": "^4.4.2",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/nested-clients": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/shared-ini-file-loader": "^4.4.3",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/token-providers/node_modules/@aws-sdk/nested-clients": {
-      "version": "3.958.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.958.0.tgz",
-      "integrity": "sha512-/KuCcS8b5TpQXkYOrPLYytrgxBhv81+5pChkOlhegbeHttjM69pyUpQVJqyfDM/A7wPLnDrzCAnk4zaAOkY0Nw==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.970.0.tgz",
+      "integrity": "sha512-RIl8s4DCa31MXtRFw23iU90OqEoWuwQxiZOZshzsPtjyrunhHFjyZJEqb+vuQcYd1o22SMaYa3lPJRp64OH35Q==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "3.957.0",
-        "@aws-sdk/middleware-host-header": "3.957.0",
-        "@aws-sdk/middleware-logger": "3.957.0",
-        "@aws-sdk/middleware-recursion-detection": "3.957.0",
-        "@aws-sdk/middleware-user-agent": "3.957.0",
-        "@aws-sdk/region-config-resolver": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@aws-sdk/util-endpoints": "3.957.0",
-        "@aws-sdk/util-user-agent-browser": "3.957.0",
-        "@aws-sdk/util-user-agent-node": "3.957.0",
-        "@smithy/config-resolver": "^4.4.5",
-        "@smithy/core": "^3.20.0",
-        "@smithy/fetch-http-handler": "^5.3.8",
-        "@smithy/hash-node": "^4.2.7",
-        "@smithy/invalid-dependency": "^4.2.7",
-        "@smithy/middleware-content-length": "^4.2.7",
-        "@smithy/middleware-endpoint": "^4.4.1",
-        "@smithy/middleware-retry": "^4.4.17",
-        "@smithy/middleware-serde": "^4.2.8",
-        "@smithy/middleware-stack": "^4.2.7",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/node-http-handler": "^4.4.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
-        "@smithy/url-parser": "^4.2.7",
+        "@aws-sdk/core": "3.970.0",
+        "@aws-sdk/middleware-host-header": "3.969.0",
+        "@aws-sdk/middleware-logger": "3.969.0",
+        "@aws-sdk/middleware-recursion-detection": "3.969.0",
+        "@aws-sdk/middleware-user-agent": "3.970.0",
+        "@aws-sdk/region-config-resolver": "3.969.0",
+        "@aws-sdk/types": "3.969.0",
+        "@aws-sdk/util-endpoints": "3.970.0",
+        "@aws-sdk/util-user-agent-browser": "3.969.0",
+        "@aws-sdk/util-user-agent-node": "3.970.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/core": "^3.20.6",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/hash-node": "^4.2.8",
+        "@smithy/invalid-dependency": "^4.2.8",
+        "@smithy/middleware-content-length": "^4.2.8",
+        "@smithy/middleware-endpoint": "^4.4.7",
+        "@smithy/middleware-retry": "^4.4.23",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/middleware-stack": "^4.2.8",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-body-length-browser": "^4.2.0",
         "@smithy/util-body-length-node": "^4.2.1",
-        "@smithy/util-defaults-mode-browser": "^4.3.16",
-        "@smithy/util-defaults-mode-node": "^4.2.19",
-        "@smithy/util-endpoints": "^3.2.7",
-        "@smithy/util-middleware": "^4.2.7",
-        "@smithy/util-retry": "^4.2.7",
+        "@smithy/util-defaults-mode-browser": "^4.3.22",
+        "@smithy/util-defaults-mode-node": "^4.2.25",
+        "@smithy/util-endpoints": "^3.2.8",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-retry": "^4.2.8",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/token-providers/node_modules/@smithy/is-array-buffer": {
@@ -5544,16 +4606,16 @@
       }
     },
     "node_modules/@aws-sdk/types": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.957.0.tgz",
-      "integrity": "sha512-wzWC2Nrt859ABk6UCAVY/WYEbAd7FjkdrQL6m24+tfmWYDNRByTJ9uOgU/kw9zqLCAwb//CPvrJdhqjTznWXAg==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.969.0.tgz",
+      "integrity": "sha512-7IIzM5TdiXn+VtgPdVLjmE6uUBUtnga0f4RiSEI1WW10RPuNvZ9U+pL3SwDiRDAdoGrOF9tSLJOFZmfuwYuVYQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/util-arn-parser": {
@@ -5569,19 +4631,19 @@
       }
     },
     "node_modules/@aws-sdk/util-endpoints": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.957.0.tgz",
-      "integrity": "sha512-xwF9K24mZSxcxKS3UKQFeX/dPYkEps9wF1b+MGON7EvnbcucrJGyQyK1v1xFPn1aqXkBTFi+SZaMRx5E5YCVFw==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.970.0.tgz",
+      "integrity": "sha512-TZNZqFcMUtjvhZoZRtpEGQAdULYiy6rcGiXAbLU7e9LSpIYlRqpLa207oMNfgbzlL2PnHko+eVg8rajDiSOYCg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/types": "^4.11.0",
-        "@smithy/url-parser": "^4.2.7",
-        "@smithy/util-endpoints": "^3.2.7",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
+        "@smithy/util-endpoints": "^3.2.8",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       }
     },
     "node_modules/@aws-sdk/util-format-url": {
@@ -5624,31 +4686,31 @@
       }
     },
     "node_modules/@aws-sdk/util-user-agent-browser": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.957.0.tgz",
-      "integrity": "sha512-exueuwxef0lUJRnGaVkNSC674eAiWU07ORhxBnevFFZEKisln+09Qrtw823iyv5I1N8T+wKfh95xvtWQrNKNQw==",
+      "version": "3.969.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.969.0.tgz",
+      "integrity": "sha512-bpJGjuKmFr0rA6UKUCmN8D19HQFMLXMx5hKBXqBlPFdalMhxJSjcxzX9DbQh0Fn6bJtxCguFmRGOBdQqNOt49g==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/types": "^4.12.0",
         "bowser": "^2.11.0",
         "tslib": "^2.6.2"
       }
     },
     "node_modules/@aws-sdk/util-user-agent-node": {
-      "version": "3.957.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.957.0.tgz",
-      "integrity": "sha512-ycbYCwqXk4gJGp0Oxkzf2KBeeGBdTxz559D41NJP8FlzSej1Gh7Rk40Zo6AyTfsNWkrl/kVi1t937OIzC5t+9Q==",
+      "version": "3.970.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.970.0.tgz",
+      "integrity": "sha512-TNQpwIVD6SxMwkD+QKnaujKVyXy5ljN3O3jrI7nCHJ3GlJu5xJrd8yuBnanYCcrn3e2zwdfOh4d4zJAZvvIvVw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/middleware-user-agent": "3.957.0",
-        "@aws-sdk/types": "3.957.0",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/types": "^4.11.0",
+        "@aws-sdk/middleware-user-agent": "3.970.0",
+        "@aws-sdk/types": "3.969.0",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=20.0.0"
       },
       "peerDependencies": {
         "aws-crt": ">=1.0.0"
@@ -5673,9 +4735,9 @@
       }
     },
     "node_modules/@aws/lambda-invoke-store": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/@aws/lambda-invoke-store/-/lambda-invoke-store-0.1.1.tgz",
-      "integrity": "sha512-RcLam17LdlbSOSp9VxmUu1eI6Mwxp+OwhD2QhiSNmNCzoDb0EeUXTD2n/WbcnrAYMGlmf05th6QYq23VqvJqpA==",
+      "version": "0.2.3",
+      "resolved": "https://registry.npmjs.org/@aws/lambda-invoke-store/-/lambda-invoke-store-0.2.3.tgz",
+      "integrity": "sha512-oLvsaPMTBejkkmHhjf09xTgk71mOqyr/409NKhRIL08If7AhVfUsJhVsx386uJaqNd42v9kWamQ9lFbkoC2dYw==",
       "license": "Apache-2.0",
       "engines": {
         "node": ">=18.0.0"
@@ -10729,9 +9791,9 @@
       }
     },
     "node_modules/@google/generative-ai": {
-      "version": "0.24.0",
-      "resolved": "https://registry.npmjs.org/@google/generative-ai/-/generative-ai-0.24.0.tgz",
-      "integrity": "sha512-fnEITCGEB7NdX0BhoYZ/cq/7WPZ1QS5IzJJfC3Tg/OwkvBetMiVJciyaan297OvE4B9Jg1xvo0zIazX/9sGu1Q==",
+      "version": "0.24.1",
+      "resolved": "https://registry.npmjs.org/@google/generative-ai/-/generative-ai-0.24.1.tgz",
+      "integrity": "sha512-MqO+MLfM6kjxcKoy0p1wRzG3b4ZZXtPI+z2IE26UogS2Cm/XHO+7gGRBh6gcJsOiIVoH93UwKvW4HdgiOZCy9Q==",
       "license": "Apache-2.0",
       "engines": {
         "node": ">=18.0.0"
@@ -12100,9 +11162,9 @@
       }
     },
     "node_modules/@langchain/anthropic": {
-      "version": "0.3.33",
-      "resolved": "https://registry.npmjs.org/@langchain/anthropic/-/anthropic-0.3.33.tgz",
-      "integrity": "sha512-uaMwieUNQbFbu0TQG6Kiub2m7hGcdjQRwniu2RzB4mroUsYCcFThv3MDumEjFMQZW/9P0eyzzTGPXJCNdQUoZg==",
+      "version": "0.3.34",
+      "resolved": "https://registry.npmjs.org/@langchain/anthropic/-/anthropic-0.3.34.tgz",
+      "integrity": "sha512-8bOW1A2VHRCjbzdYElrjxutKNs9NSIxYRGtR+OJWVzluMqoKKh2NmmFrpPizEyqCUEG2tTq5xt6XA1lwfqMJRA==",
       "license": "MIT",
       "dependencies": {
         "@anthropic-ai/sdk": "^0.65.0",
@@ -12342,18 +11404,6 @@
         "@langchain/core": ">=0.3.58 <0.4.0"
       }
     },
-    "node_modules/@langchain/google-genai/node_modules/uuid": {
-      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
-      "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
-      "funding": [
-        "https://github.com/sponsors/broofa",
-        "https://github.com/sponsors/ctavan"
-      ],
-      "bin": {
-        "uuid": "dist/esm/bin/uuid"
-      }
-    },
     "node_modules/@langchain/google-vertexai": {
       "version": "0.2.18",
       "resolved": "https://registry.npmjs.org/@langchain/google-vertexai/-/google-vertexai-0.2.18.tgz",
@@ -12449,6 +11499,19 @@
         }
       }
     },
+    "node_modules/@langchain/langgraph-sdk/node_modules/uuid": {
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
+      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+      "funding": [
+        "https://github.com/sponsors/broofa",
+        "https://github.com/sponsors/ctavan"
+      ],
+      "license": "MIT",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
     "node_modules/@langchain/langgraph/node_modules/uuid": {
       "version": "10.0.0",
       "resolved": "https://registry.npmjs.org/uuid/-/uuid-10.0.0.tgz",
@@ -12539,22 +11602,22 @@
       }
     },
     "node_modules/@langfuse/core": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/@langfuse/core/-/core-4.4.1.tgz",
-      "integrity": "sha512-qg8Pc+scPY6XXePN7Hy91YGfiuqW1QJAa8pyqZhQ3vYPGssoa/vkabmDPQycRIT6cQOurmN+KbA6rQDtJVtgbw==",
+      "version": "4.5.1",
+      "resolved": "https://registry.npmjs.org/@langfuse/core/-/core-4.5.1.tgz",
+      "integrity": "sha512-caJ2YWcaEU+kbzxFiyzRYaCmKxGzL9DSxbrCer8HbayYo2TaFaAu67Zeili8u8qG4q7TXga4aL2+rpU5ebWdRA==",
       "license": "MIT",
       "peerDependencies": {
         "@opentelemetry/api": "^1.9.0"
       }
     },
     "node_modules/@langfuse/langchain": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/@langfuse/langchain/-/langchain-4.4.1.tgz",
-      "integrity": "sha512-yyqpa1lLYdHTIzmzPX80L2n4DsR8yMd9g1gD61Xjq2I1I0He+IL5n0nLlm+88py7MEA/TB/YsqBdVNS2vCNeQg==",
+      "version": "4.5.1",
+      "resolved": "https://registry.npmjs.org/@langfuse/langchain/-/langchain-4.5.1.tgz",
+      "integrity": "sha512-+pzC/WVR9f8YS3vEi69GmTNzwqJ9z2VZN8tOGYO3zO15b306aMTvUm44/EYCanWiZjhwUNqEM25jEHB+/dCFYA==",
       "license": "MIT",
       "dependencies": {
-        "@langfuse/core": "^4.4.1",
-        "@langfuse/tracing": "^4.4.1"
+        "@langfuse/core": "^4.5.1",
+        "@langfuse/tracing": "^4.5.1"
       },
       "peerDependencies": {
         "@langchain/core": ">=0.3.0",
@@ -12562,12 +11625,12 @@
       }
     },
     "node_modules/@langfuse/otel": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/@langfuse/otel/-/otel-4.4.1.tgz",
-      "integrity": "sha512-6nC5/buyyUPT+JgfkkapcVUkwqMLyz7Ld0OYzzBzwl2gVQKeUHaYRPM/mfJqIj1Ov1oAnnpsVDk85xAviXdV0g==",
+      "version": "4.5.1",
+      "resolved": "https://registry.npmjs.org/@langfuse/otel/-/otel-4.5.1.tgz",
+      "integrity": "sha512-cqykMEAYmGnd9RSZW2FPCNLda5jKZpCOnHTCu0pQD8EDgxCaHbnmD16k6WyjE/jywh991BcIFXzYub2fNbbSSQ==",
       "license": "MIT",
       "dependencies": {
-        "@langfuse/core": "^4.4.1"
+        "@langfuse/core": "^4.5.1"
       },
       "engines": {
         "node": ">=20"
@@ -12580,12 +11643,12 @@
       }
     },
     "node_modules/@langfuse/tracing": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/@langfuse/tracing/-/tracing-4.4.1.tgz",
-      "integrity": "sha512-PK3MCwHaReF8wJUYUq2YTeKA52EImi2OKJsSBM+i8ayKqrEY3kKPsAAROBSWOs/qx9eqZCJvlRovSwSRmhZDGQ==",
+      "version": "4.5.1",
+      "resolved": "https://registry.npmjs.org/@langfuse/tracing/-/tracing-4.5.1.tgz",
+      "integrity": "sha512-PvN8fJzEDG2IQMD7/iGhoeEzMM0fJ/ktZdy5gfMfj3/UUccigqV0flxpzvgRoAUss+0ZmqkIlJoaerHKOCMD+A==",
       "license": "MIT",
       "dependencies": {
-        "@langfuse/core": "^4.4.1"
+        "@langfuse/core": "^4.5.1"
       },
       "engines": {
         "node": ">=20"
@@ -12646,11 +11709,12 @@
       }
     },
     "node_modules/@librechat/agents": {
-      "version": "3.0.776",
-      "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.0.776.tgz",
-      "integrity": "sha512-tLhFqyjlGl70QV8mq9cvmvwQ0hw/WCIC7ayEY5zJAXK+WTO80ir7xjYtXz98PX0+hNwNu8PFekgnSTWrYIrT0w==",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.1.0.tgz",
+      "integrity": "sha512-cnZTxSdIfBZZslsQlizA4grxVhAgeHeNPZiwIly+E2IfPJDg8oz+uvtQGXOEKRA0PHL1xRzAb6sqPMUTdm/2RA==",
       "license": "MIT",
       "dependencies": {
+        "@aws-sdk/client-bedrock-runtime": "^3.970.0",
         "@langchain/anthropic": "^0.3.26",
         "@langchain/aws": "^0.1.15",
         "@langchain/core": "^0.3.80",
@@ -12761,9 +11825,9 @@
       }
     },
     "node_modules/@mistralai/mistralai": {
-      "version": "1.10.0",
-      "resolved": "https://registry.npmjs.org/@mistralai/mistralai/-/mistralai-1.10.0.tgz",
-      "integrity": "sha512-tdIgWs4Le8vpvPiUEWne6tK0qbVc+jMenujnvTqOjogrJUsCSQhus0tHTU1avDDh5//Rq2dFgP9mWRAdIEoBqg==",
+      "version": "1.11.0",
+      "resolved": "https://registry.npmjs.org/@mistralai/mistralai/-/mistralai-1.11.0.tgz",
+      "integrity": "sha512-6/BVj2mcaggYbpMzNSxtqtM2Tv/Jb5845XFd2CMYFO+O5VBkX70iLjtkBBTI4JFhh1l9vTCIMYXBVOjLoBVHGQ==",
       "dependencies": {
         "zod": "^3.20.0",
         "zod-to-json-schema": "^3.24.1"
@@ -12909,9 +11973,9 @@
       }
     },
     "node_modules/@opentelemetry/api-logs": {
-      "version": "0.208.0",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/api-logs/-/api-logs-0.208.0.tgz",
-      "integrity": "sha512-CjruKY9V6NMssL/T1kAFgzosF1v9o6oeN+aX5JB/C/xPNtmgIJqcXHG7fA82Ou1zCpWGl4lROQUKwUNE1pMCyg==",
+      "version": "0.210.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/api-logs/-/api-logs-0.210.0.tgz",
+      "integrity": "sha512-CMtLxp+lYDriveZejpBND/2TmadrrhUfChyxzmkFtHaMDdSKfP59MAYyA0ICBvEBdm3iXwLcaj/8Ic/pnGw9Yg==",
       "license": "Apache-2.0",
       "peer": true,
       "dependencies": {
@@ -12934,10 +11998,11 @@
       }
     },
     "node_modules/@opentelemetry/core": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
-      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.4.0.tgz",
+      "integrity": "sha512-KtcyFHssTn5ZgDu6SXmUznS80OFs/wN7y6MyFRRcKU6TOw8hNcGxKvt8hsdaLJfhzUszNSjURetq5Qpkad14Gw==",
       "license": "Apache-2.0",
+      "peer": true,
       "dependencies": {
         "@opentelemetry/semantic-conventions": "^1.29.0"
       },
@@ -12980,6 +12045,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-logs-otlp-grpc/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-logs-otlp-grpc/node_modules/@opentelemetry/otlp-exporter-base": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.207.0.tgz",
@@ -13017,6 +12097,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-logs-otlp-grpc/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-logs-otlp-grpc/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -13034,6 +12130,39 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-logs-otlp-grpc/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-logs-otlp-grpc/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-logs-otlp-http": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-logs-otlp-http/-/exporter-logs-otlp-http-0.207.0.tgz",
@@ -13065,6 +12194,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-logs-otlp-http/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-logs-otlp-http/node_modules/@opentelemetry/otlp-exporter-base": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.207.0.tgz",
@@ -13102,6 +12246,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-logs-otlp-http/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-logs-otlp-http/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -13119,6 +12279,39 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-logs-otlp-http/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-logs-otlp-http/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-logs-otlp-proto": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-logs-otlp-proto/-/exporter-logs-otlp-proto-0.207.0.tgz",
@@ -13152,6 +12345,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-logs-otlp-proto/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-logs-otlp-proto/node_modules/@opentelemetry/otlp-exporter-base": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.207.0.tgz",
@@ -13189,6 +12397,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-logs-otlp-proto/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-logs-otlp-proto/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -13206,6 +12430,39 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-logs-otlp-proto/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-logs-otlp-proto/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-metrics-otlp-grpc": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-metrics-otlp-grpc/-/exporter-metrics-otlp-grpc-0.207.0.tgz",
@@ -13240,6 +12497,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-grpc/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-metrics-otlp-grpc/node_modules/@opentelemetry/otlp-exporter-base": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.207.0.tgz",
@@ -13277,6 +12549,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-grpc/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-metrics-otlp-grpc/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -13294,6 +12582,39 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-grpc/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-grpc/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-metrics-otlp-http": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-metrics-otlp-http/-/exporter-metrics-otlp-http-0.207.0.tgz",
@@ -13325,6 +12646,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-http/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-metrics-otlp-http/node_modules/@opentelemetry/otlp-exporter-base": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.207.0.tgz",
@@ -13362,6 +12698,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-http/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-metrics-otlp-http/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -13379,6 +12731,39 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-http/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-http/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-metrics-otlp-proto": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-metrics-otlp-proto/-/exporter-metrics-otlp-proto-0.207.0.tgz",
@@ -13411,6 +12796,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-proto/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-metrics-otlp-proto/node_modules/@opentelemetry/otlp-exporter-base": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.207.0.tgz",
@@ -13448,6 +12848,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-proto/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-metrics-otlp-proto/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -13465,6 +12881,39 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-proto/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-metrics-otlp-proto/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-prometheus": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-prometheus/-/exporter-prometheus-0.207.0.tgz",
@@ -13482,6 +12931,53 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-prometheus/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-prometheus/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-prometheus/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-trace-otlp-grpc": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-trace-otlp-grpc/-/exporter-trace-otlp-grpc-0.207.0.tgz",
@@ -13515,6 +13011,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-trace-otlp-grpc/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-trace-otlp-grpc/node_modules/@opentelemetry/otlp-exporter-base": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.207.0.tgz",
@@ -13552,6 +13063,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-trace-otlp-grpc/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-trace-otlp-grpc/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -13569,18 +13096,51 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
-    "node_modules/@opentelemetry/exporter-trace-otlp-http": {
-      "version": "0.208.0",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-trace-otlp-http/-/exporter-trace-otlp-http-0.208.0.tgz",
-      "integrity": "sha512-jbzDw1q+BkwKFq9yxhjAJ9rjKldbt5AgIy1gmEIJjEV/WRxQ3B6HcLVkwbjJ3RcMif86BDNKR846KJ0tY0aOJA==",
+    "node_modules/@opentelemetry/exporter-trace-otlp-grpc/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-trace-otlp-grpc/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
       "license": "Apache-2.0",
-      "peer": true,
       "dependencies": {
         "@opentelemetry/core": "2.2.0",
-        "@opentelemetry/otlp-exporter-base": "0.208.0",
-        "@opentelemetry/otlp-transformer": "0.208.0",
         "@opentelemetry/resources": "2.2.0",
-        "@opentelemetry/sdk-trace-base": "2.2.0"
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-trace-otlp-http": {
+      "version": "0.210.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-trace-otlp-http/-/exporter-trace-otlp-http-0.210.0.tgz",
+      "integrity": "sha512-9JkyaCl70anEtuKZdoCQmjDuz1/paEixY/DWfsvHt7PGKq3t8/nQ/6/xwxHjG+SkPAUbo1Iq4h7STe7Pk2bc5A==",
+      "license": "Apache-2.0",
+      "peer": true,
+      "dependencies": {
+        "@opentelemetry/core": "2.4.0",
+        "@opentelemetry/otlp-exporter-base": "0.210.0",
+        "@opentelemetry/otlp-transformer": "0.210.0",
+        "@opentelemetry/resources": "2.4.0",
+        "@opentelemetry/sdk-trace-base": "2.4.0"
       },
       "engines": {
         "node": "^18.19.0 || >=20.6.0"
@@ -13620,6 +13180,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-trace-otlp-proto/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-trace-otlp-proto/node_modules/@opentelemetry/otlp-exporter-base": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.207.0.tgz",
@@ -13657,6 +13232,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-trace-otlp-proto/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-trace-otlp-proto/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -13674,6 +13265,39 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-trace-otlp-proto/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-trace-otlp-proto/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/exporter-zipkin": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-zipkin/-/exporter-zipkin-2.2.0.tgz",
@@ -13692,6 +13316,54 @@
         "@opentelemetry/api": "^1.0.0"
       }
     },
+    "node_modules/@opentelemetry/exporter-zipkin/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-zipkin/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/exporter-zipkin/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/instrumentation": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/instrumentation/-/instrumentation-0.207.0.tgz",
@@ -13722,14 +13394,14 @@
       }
     },
     "node_modules/@opentelemetry/otlp-exporter-base": {
-      "version": "0.208.0",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.208.0.tgz",
-      "integrity": "sha512-gMd39gIfVb2OgxldxUtOwGJYSH8P1kVFFlJLuut32L6KgUC4gl1dMhn+YC2mGn0bDOiQYSk/uHOdSjuKp58vvA==",
+      "version": "0.210.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.210.0.tgz",
+      "integrity": "sha512-uk78DcZoBNHIm26h0oXc8Pizh4KDJ/y04N5k/UaI9J7xR7mL8QcMcYPQG9xxN7m8qotXOMDRW6qTAyptav4+3w==",
       "license": "Apache-2.0",
       "peer": true,
       "dependencies": {
-        "@opentelemetry/core": "2.2.0",
-        "@opentelemetry/otlp-transformer": "0.208.0"
+        "@opentelemetry/core": "2.4.0",
+        "@opentelemetry/otlp-transformer": "0.210.0"
       },
       "engines": {
         "node": "^18.19.0 || >=20.6.0"
@@ -13768,6 +13440,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/otlp-grpc-exporter-base/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/otlp-grpc-exporter-base/node_modules/@opentelemetry/otlp-exporter-base": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.207.0.tgz",
@@ -13805,6 +13492,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/otlp-grpc-exporter-base/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/otlp-grpc-exporter-base/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -13822,20 +13525,53 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
-    "node_modules/@opentelemetry/otlp-transformer": {
-      "version": "0.208.0",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-transformer/-/otlp-transformer-0.208.0.tgz",
-      "integrity": "sha512-DCFPY8C6lAQHUNkzcNT9R+qYExvsk6C5Bto2pbNxgicpcSWbe2WHShLxkOxIdNcBiYPdVHv/e7vH7K6TI+C+fQ==",
+    "node_modules/@opentelemetry/otlp-grpc-exporter-base/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/otlp-grpc-exporter-base/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
       "license": "Apache-2.0",
-      "peer": true,
       "dependencies": {
-        "@opentelemetry/api-logs": "0.208.0",
         "@opentelemetry/core": "2.2.0",
         "@opentelemetry/resources": "2.2.0",
-        "@opentelemetry/sdk-logs": "0.208.0",
-        "@opentelemetry/sdk-metrics": "2.2.0",
-        "@opentelemetry/sdk-trace-base": "2.2.0",
-        "protobufjs": "^7.3.0"
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/otlp-transformer": {
+      "version": "0.210.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-transformer/-/otlp-transformer-0.210.0.tgz",
+      "integrity": "sha512-nkHBJVSJGOwkRZl+BFIr7gikA93/U8XkL2EWaiDbj3DVjmTEZQpegIKk0lT8oqQYfP8FC6zWNjuTfkaBVqa0ZQ==",
+      "license": "Apache-2.0",
+      "peer": true,
+      "dependencies": {
+        "@opentelemetry/api-logs": "0.210.0",
+        "@opentelemetry/core": "2.4.0",
+        "@opentelemetry/resources": "2.4.0",
+        "@opentelemetry/sdk-logs": "0.210.0",
+        "@opentelemetry/sdk-metrics": "2.4.0",
+        "@opentelemetry/sdk-trace-base": "2.4.0",
+        "protobufjs": "8.0.0"
       },
       "engines": {
         "node": "^18.19.0 || >=20.6.0"
@@ -13844,6 +13580,31 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/otlp-transformer/node_modules/protobufjs": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-8.0.0.tgz",
+      "integrity": "sha512-jx6+sE9h/UryaCZhsJWbJtTEy47yXoGNYI4z8ZaRncM0zBKeRqjO2JEcOUYwrYGb1WLhXM1FfMzW3annvFv0rw==",
+      "hasInstallScript": true,
+      "license": "BSD-3-Clause",
+      "peer": true,
+      "dependencies": {
+        "@protobufjs/aspromise": "^1.1.2",
+        "@protobufjs/base64": "^1.1.2",
+        "@protobufjs/codegen": "^2.0.4",
+        "@protobufjs/eventemitter": "^1.1.0",
+        "@protobufjs/fetch": "^1.1.0",
+        "@protobufjs/float": "^1.0.2",
+        "@protobufjs/inquire": "^1.1.0",
+        "@protobufjs/path": "^1.1.2",
+        "@protobufjs/pool": "^1.1.0",
+        "@protobufjs/utf8": "^1.1.0",
+        "@types/node": ">=13.7.0",
+        "long": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
     "node_modules/@opentelemetry/propagator-b3": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/propagator-b3/-/propagator-b3-2.2.0.tgz",
@@ -13859,6 +13620,21 @@
         "@opentelemetry/api": ">=1.0.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/propagator-b3/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/propagator-jaeger": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/propagator-jaeger/-/propagator-jaeger-2.2.0.tgz",
@@ -13874,13 +13650,29 @@
         "@opentelemetry/api": ">=1.0.0 <1.10.0"
       }
     },
-    "node_modules/@opentelemetry/resources": {
+    "node_modules/@opentelemetry/propagator-jaeger/node_modules/@opentelemetry/core": {
       "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
-      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/resources": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.4.0.tgz",
+      "integrity": "sha512-RWvGLj2lMDZd7M/5tjkI/2VHMpXebLgPKvBUd9LRasEWR2xAynDwEYZuLvY9P2NGG73HF07jbbgWX2C9oavcQg==",
+      "license": "Apache-2.0",
+      "peer": true,
+      "dependencies": {
+        "@opentelemetry/core": "2.4.0",
         "@opentelemetry/semantic-conventions": "^1.29.0"
       },
       "engines": {
@@ -13891,15 +13683,15 @@
       }
     },
     "node_modules/@opentelemetry/sdk-logs": {
-      "version": "0.208.0",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.208.0.tgz",
-      "integrity": "sha512-QlAyL1jRpOeaqx7/leG1vJMp84g0xKP6gJmfELBpnI4O/9xPX+Hu5m1POk9Kl+veNkyth5t19hRlN6tNY1sjbA==",
+      "version": "0.210.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.210.0.tgz",
+      "integrity": "sha512-YuaL92Dpyk/Kc1o4e9XiaWWwiC0aBFN+4oy+6A9TP4UNJmRymPMEX10r6EMMFMD7V0hktiSig9cwWo59peeLCQ==",
       "license": "Apache-2.0",
       "peer": true,
       "dependencies": {
-        "@opentelemetry/api-logs": "0.208.0",
-        "@opentelemetry/core": "2.2.0",
-        "@opentelemetry/resources": "2.2.0"
+        "@opentelemetry/api-logs": "0.210.0",
+        "@opentelemetry/core": "2.4.0",
+        "@opentelemetry/resources": "2.4.0"
       },
       "engines": {
         "node": "^18.19.0 || >=20.6.0"
@@ -13909,13 +13701,14 @@
       }
     },
     "node_modules/@opentelemetry/sdk-metrics": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
-      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.4.0.tgz",
+      "integrity": "sha512-qSbfq9mXbLMqmPEjijl32f3ZEmiHekebRggPdPjhHI6t1CsAQOR2Aw/SuTDftk3/l2aaPHpwP3xM2DkgBA1ANw==",
       "license": "Apache-2.0",
+      "peer": true,
       "dependencies": {
-        "@opentelemetry/core": "2.2.0",
-        "@opentelemetry/resources": "2.2.0"
+        "@opentelemetry/core": "2.4.0",
+        "@opentelemetry/resources": "2.4.0"
       },
       "engines": {
         "node": "^18.19.0 || >=20.6.0"
@@ -13972,6 +13765,21 @@
         "node": ">=8.0.0"
       }
     },
+    "node_modules/@opentelemetry/sdk-node/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/sdk-node/node_modules/@opentelemetry/exporter-trace-otlp-http": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-trace-otlp-http/-/exporter-trace-otlp-http-0.207.0.tgz",
@@ -14028,6 +13836,22 @@
         "@opentelemetry/api": "^1.3.0"
       }
     },
+    "node_modules/@opentelemetry/sdk-node/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/sdk-node/node_modules/@opentelemetry/sdk-logs": {
       "version": "0.207.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.207.0.tgz",
@@ -14045,7 +13869,23 @@
         "@opentelemetry/api": ">=1.4.0 <1.10.0"
       }
     },
-    "node_modules/@opentelemetry/sdk-trace-base": {
+    "node_modules/@opentelemetry/sdk-node/node_modules/@opentelemetry/sdk-metrics": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.2.0.tgz",
+      "integrity": "sha512-G5KYP6+VJMZzpGipQw7Giif48h6SGQ2PFKEYCybeXJsOCB4fp8azqMAAzE5lnnHK3ZVwYQrgmFbsUJO/zOnwGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.9.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/sdk-node/node_modules/@opentelemetry/sdk-trace-base": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
       "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
@@ -14062,6 +13902,24 @@
         "@opentelemetry/api": ">=1.3.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.4.0.tgz",
+      "integrity": "sha512-WH0xXkz/OHORDLKqaxcUZS0X+t1s7gGlumr2ebiEgNZQl2b0upK2cdoD0tatf7l8iP74woGJ/Kmxe82jdvcWRw==",
+      "license": "Apache-2.0",
+      "peer": true,
+      "dependencies": {
+        "@opentelemetry/core": "2.4.0",
+        "@opentelemetry/resources": "2.4.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/sdk-trace-node": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-node/-/sdk-trace-node-2.2.0.tgz",
@@ -14079,6 +13937,54 @@
         "@opentelemetry/api": ">=1.0.0 <1.10.0"
       }
     },
+    "node_modules/@opentelemetry/sdk-trace-node/node_modules/@opentelemetry/core": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.2.0.tgz",
+      "integrity": "sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.0.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/sdk-trace-node/node_modules/@opentelemetry/resources": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.2.0.tgz",
+      "integrity": "sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
+    "node_modules/@opentelemetry/sdk-trace-node/node_modules/@opentelemetry/sdk-trace-base": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.2.0.tgz",
+      "integrity": "sha512-xWQgL0Bmctsalg6PaXExmzdedSp3gyKV8mQBwK/j9VGdCDu2fmXIb2gAehBKbkXCpJ4HPkgv3QfoJWRT4dHWbw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@opentelemetry/core": "2.2.0",
+        "@opentelemetry/resources": "2.2.0",
+        "@opentelemetry/semantic-conventions": "^1.29.0"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.6.0"
+      },
+      "peerDependencies": {
+        "@opentelemetry/api": ">=1.3.0 <1.10.0"
+      }
+    },
     "node_modules/@opentelemetry/semantic-conventions": {
       "version": "1.38.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/semantic-conventions/-/semantic-conventions-1.38.0.tgz",
@@ -18699,12 +18605,12 @@
       }
     },
     "node_modules/@smithy/abort-controller": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-4.2.7.tgz",
-      "integrity": "sha512-rzMY6CaKx2qxrbYbqjXWS0plqEy7LOdKHS0bg4ixJ6aoGDPNUcLWk/FRNuCILh7GKLG9TFUXYYeQQldMBBwuyw==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-4.2.8.tgz",
+      "integrity": "sha512-peuVfkYHAmS5ybKxWcfraK7WBBP0J+rkfUcbHJJKQ4ir3UAUNQI+Y4Vt/PqSzGqgloJ5O1dk7+WzNL8wcCSXbw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -18737,16 +18643,16 @@
       }
     },
     "node_modules/@smithy/config-resolver": {
-      "version": "4.4.5",
-      "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-4.4.5.tgz",
-      "integrity": "sha512-HAGoUAFYsUkoSckuKbCPayECeMim8pOu+yLy1zOxt1sifzEbrsRpYa+mKcMdiHKMeiqOibyPG0sFJnmaV/OGEg==",
+      "version": "4.4.6",
+      "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-4.4.6.tgz",
+      "integrity": "sha512-qJpzYC64kaj3S0fueiu3kXm8xPrR3PcXDPEgnaNMRn0EjNSZFoFjvbUp0YUDsRhN1CB90EnHJtbxWKevnH99UQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-config-provider": "^4.2.0",
-        "@smithy/util-endpoints": "^3.2.7",
-        "@smithy/util-middleware": "^4.2.7",
+        "@smithy/util-endpoints": "^3.2.8",
+        "@smithy/util-middleware": "^4.2.8",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -18754,18 +18660,18 @@
       }
     },
     "node_modules/@smithy/core": {
-      "version": "3.20.0",
-      "resolved": "https://registry.npmjs.org/@smithy/core/-/core-3.20.0.tgz",
-      "integrity": "sha512-WsSHCPq/neD5G/MkK4csLI5Y5Pkd9c1NMfpYEKeghSGaD4Ja1qLIohRQf2D5c1Uy5aXp76DeKHkzWZ9KAlHroQ==",
+      "version": "3.20.6",
+      "resolved": "https://registry.npmjs.org/@smithy/core/-/core-3.20.6.tgz",
+      "integrity": "sha512-BpAffW1mIyRZongoKBbh3RgHG+JDHJek/8hjA/9LnPunM+ejorO6axkxCgwxCe4K//g/JdPeR9vROHDYr/hfnQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/middleware-serde": "^4.2.8",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-body-length-browser": "^4.2.0",
-        "@smithy/util-middleware": "^4.2.7",
-        "@smithy/util-stream": "^4.5.8",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-stream": "^4.5.10",
         "@smithy/util-utf8": "^4.2.0",
         "@smithy/uuid": "^1.1.0",
         "tslib": "^2.6.2"
@@ -18813,15 +18719,15 @@
       }
     },
     "node_modules/@smithy/credential-provider-imds": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-4.2.7.tgz",
-      "integrity": "sha512-CmduWdCiILCRNbQWFR0OcZlUPVtyE49Sr8yYL0rZQ4D/wKxiNzBNS/YHemvnbkIWj623fplgkexUd/c9CAKdoA==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-4.2.8.tgz",
+      "integrity": "sha512-FNT0xHS1c/CPN8upqbMFP83+ul5YgdisfCfkZ86Jh2NSmnqw/AJ6x5pEogVCTVvSm7j9MopRU89bmDelxuDMYw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/types": "^4.11.0",
-        "@smithy/url-parser": "^4.2.7",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -18829,13 +18735,13 @@
       }
     },
     "node_modules/@smithy/eventstream-codec": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-codec/-/eventstream-codec-4.2.7.tgz",
-      "integrity": "sha512-DrpkEoM3j9cBBWhufqBwnbbn+3nf1N9FP6xuVJ+e220jbactKuQgaZwjwP5CP1t+O94brm2JgVMD2atMGX3xIQ==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-codec/-/eventstream-codec-4.2.8.tgz",
+      "integrity": "sha512-jS/O5Q14UsufqoGhov7dHLOPCzkYJl9QDzusI2Psh4wyYx/izhzvX9P4D69aTxcdfVhEPhjK+wYyn/PzLjKbbw==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/crc32": "5.2.0",
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-hex-encoding": "^4.2.0",
         "tslib": "^2.6.2"
       },
@@ -18844,13 +18750,13 @@
       }
     },
     "node_modules/@smithy/eventstream-serde-browser": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-browser/-/eventstream-serde-browser-4.2.7.tgz",
-      "integrity": "sha512-ujzPk8seYoDBmABDE5YqlhQZAXLOrtxtJLrbhHMKjBoG5b4dK4i6/mEU+6/7yXIAkqOO8sJ6YxZl+h0QQ1IJ7g==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-browser/-/eventstream-serde-browser-4.2.8.tgz",
+      "integrity": "sha512-MTfQT/CRQz5g24ayXdjg53V0mhucZth4PESoA5IhvaWVDTOQLfo8qI9vzqHcPsdd2v6sqfTYqF5L/l+pea5Uyw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/eventstream-serde-universal": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/eventstream-serde-universal": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -18858,12 +18764,12 @@
       }
     },
     "node_modules/@smithy/eventstream-serde-config-resolver": {
-      "version": "4.3.7",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-config-resolver/-/eventstream-serde-config-resolver-4.3.7.tgz",
-      "integrity": "sha512-x7BtAiIPSaNaWuzm24Q/mtSkv+BrISO/fmheiJ39PKRNH3RmH2Hph/bUKSOBOBC9unqfIYDhKTHwpyZycLGPVQ==",
+      "version": "4.3.8",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-config-resolver/-/eventstream-serde-config-resolver-4.3.8.tgz",
+      "integrity": "sha512-ah12+luBiDGzBruhu3efNy1IlbwSEdNiw8fOZksoKoWW1ZHvO/04MQsdnws/9Aj+5b0YXSSN2JXKy/ClIsW8MQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -18871,13 +18777,13 @@
       }
     },
     "node_modules/@smithy/eventstream-serde-node": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-node/-/eventstream-serde-node-4.2.7.tgz",
-      "integrity": "sha512-roySCtHC5+pQq5lK4be1fZ/WR6s/AxnPaLfCODIPArtN2du8s5Ot4mKVK3pPtijL/L654ws592JHJ1PbZFF6+A==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-node/-/eventstream-serde-node-4.2.8.tgz",
+      "integrity": "sha512-cYpCpp29z6EJHa5T9WL0KAlq3SOKUQkcgSoeRfRVwjGgSFl7Uh32eYGt7IDYCX20skiEdRffyDpvF2efEZPC0A==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/eventstream-serde-universal": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/eventstream-serde-universal": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -18885,13 +18791,13 @@
       }
     },
     "node_modules/@smithy/eventstream-serde-universal": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-universal/-/eventstream-serde-universal-4.2.7.tgz",
-      "integrity": "sha512-QVD+g3+icFkThoy4r8wVFZMsIP08taHVKjE6Jpmz8h5CgX/kk6pTODq5cht0OMtcapUx+xrPzUTQdA+TmO0m1g==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-universal/-/eventstream-serde-universal-4.2.8.tgz",
+      "integrity": "sha512-iJ6YNJd0bntJYnX6s52NC4WFYcZeKrPUr1Kmmr5AwZcwCSzVpS7oavAmxMR7pMq7V+D1G4s9F5NJK0xwOsKAlQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/eventstream-codec": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/eventstream-codec": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -18899,14 +18805,14 @@
       }
     },
     "node_modules/@smithy/fetch-http-handler": {
-      "version": "5.3.8",
-      "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-5.3.8.tgz",
-      "integrity": "sha512-h/Fi+o7mti4n8wx1SR6UHWLaakwHRx29sizvp8OOm7iqwKGFneT06GCSFhml6Bha5BT6ot5pj3CYZnCHhGC2Rg==",
+      "version": "5.3.9",
+      "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-5.3.9.tgz",
+      "integrity": "sha512-I4UhmcTYXBrct03rwzQX1Y/iqQlzVQaPxWjCjula++5EmWq9YGBrx6bbGqluGc1f0XEfhSkiY4jhLgbsJUMKRA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/querystring-builder": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/querystring-builder": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-base64": "^4.3.0",
         "tslib": "^2.6.2"
       },
@@ -18930,12 +18836,12 @@
       }
     },
     "node_modules/@smithy/hash-node": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-4.2.7.tgz",
-      "integrity": "sha512-PU/JWLTBCV1c8FtB8tEFnY4eV1tSfBc7bDBADHfn1K+uRbPgSJ9jnJp0hyjiFN2PMdPzxsf1Fdu0eo9fJ760Xw==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-4.2.8.tgz",
+      "integrity": "sha512-7ZIlPbmaDGxVoxErDZnuFG18WekhbA/g2/i97wGj+wUBeS6pcUeAym8u4BXh/75RXWhgIJhyC11hBzig6MljwA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-buffer-from": "^4.2.0",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
@@ -19035,12 +18941,12 @@
       }
     },
     "node_modules/@smithy/invalid-dependency": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-4.2.7.tgz",
-      "integrity": "sha512-ncvgCr9a15nPlkhIUx3CU4d7E7WEuVJOV7fS7nnK2hLtPK9tYRBkMHQbhXU1VvvKeBm/O0x26OEoBq+ngFpOEQ==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-4.2.8.tgz",
+      "integrity": "sha512-N9iozRybwAQ2dn9Fot9kI6/w9vos2oTXLhtK7ovGqwZjlOcxu6XhPlpLpC+INsxktqHinn5gS2DXDjDF2kG5sQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19111,13 +19017,13 @@
       }
     },
     "node_modules/@smithy/middleware-content-length": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-4.2.7.tgz",
-      "integrity": "sha512-GszfBfCcvt7kIbJ41LuNa5f0wvQCHhnGx/aDaZJCCT05Ld6x6U2s0xsc/0mBFONBZjQJp2U/0uSJ178OXOwbhg==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-4.2.8.tgz",
+      "integrity": "sha512-RO0jeoaYAB1qBRhfVyq0pMgBoUK34YEJxVxyjOWYZiOKOq2yMZ4MnVXMZCUDenpozHue207+9P5ilTV1zeda0A==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19125,18 +19031,18 @@
       }
     },
     "node_modules/@smithy/middleware-endpoint": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-4.4.1.tgz",
-      "integrity": "sha512-gpLspUAoe6f1M6H0u4cVuFzxZBrsGZmjx2O9SigurTx4PbntYa4AJ+o0G0oGm1L2oSX6oBhcGHwrfJHup2JnJg==",
+      "version": "4.4.7",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-4.4.7.tgz",
+      "integrity": "sha512-SCmhUG1UwtnEhF5Sxd8qk7bJwkj1BpFzFlHkXqKCEmDPLrRjJyTGM0EhqT7XBtDaDJjCfjRJQodgZcKDR843qg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/core": "^3.20.0",
-        "@smithy/middleware-serde": "^4.2.8",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/shared-ini-file-loader": "^4.4.2",
-        "@smithy/types": "^4.11.0",
-        "@smithy/url-parser": "^4.2.7",
-        "@smithy/util-middleware": "^4.2.7",
+        "@smithy/core": "^3.20.6",
+        "@smithy/middleware-serde": "^4.2.9",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/shared-ini-file-loader": "^4.4.3",
+        "@smithy/types": "^4.12.0",
+        "@smithy/url-parser": "^4.2.8",
+        "@smithy/util-middleware": "^4.2.8",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19144,18 +19050,18 @@
       }
     },
     "node_modules/@smithy/middleware-retry": {
-      "version": "4.4.17",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-4.4.17.tgz",
-      "integrity": "sha512-MqbXK6Y9uq17h+4r0ogu/sBT6V/rdV+5NvYL7ZV444BKfQygYe8wAhDrVXagVebN6w2RE0Fm245l69mOsPGZzg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/service-error-classification": "^4.2.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
-        "@smithy/util-middleware": "^4.2.7",
-        "@smithy/util-retry": "^4.2.7",
+      "version": "4.4.23",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-4.4.23.tgz",
+      "integrity": "sha512-lLEmkQj7I7oKfvZ1wsnToGJouLOtfkMXDKRA1Hi6F+mMp5O1N8GcVWmVeNgTtgZtd0OTXDTI2vpVQmeutydGew==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/service-error-classification": "^4.2.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/util-middleware": "^4.2.8",
+        "@smithy/util-retry": "^4.2.8",
         "@smithy/uuid": "^1.1.0",
         "tslib": "^2.6.2"
       },
@@ -19164,13 +19070,13 @@
       }
     },
     "node_modules/@smithy/middleware-serde": {
-      "version": "4.2.8",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-4.2.8.tgz",
-      "integrity": "sha512-8rDGYen5m5+NV9eHv9ry0sqm2gI6W7mc1VSFMtn6Igo25S507/HaOX9LTHAS2/J32VXD0xSzrY0H5FJtOMS4/w==",
+      "version": "4.2.9",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-4.2.9.tgz",
+      "integrity": "sha512-eMNiej0u/snzDvlqRGSN3Vl0ESn3838+nKyVfF2FKNXFbi4SERYT6PR392D39iczngbqqGG0Jl1DlCnp7tBbXQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19178,12 +19084,12 @@
       }
     },
     "node_modules/@smithy/middleware-stack": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-4.2.7.tgz",
-      "integrity": "sha512-bsOT0rJ+HHlZd9crHoS37mt8qRRN/h9jRve1SXUhVbkRzu0QaNYZp1i1jha4n098tsvROjcwfLlfvcFuJSXEsw==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-4.2.8.tgz",
+      "integrity": "sha512-w6LCfOviTYQjBctOKSwy6A8FIkQy7ICvglrZFl6Bw4FmcQ1Z420fUtIhxaUZZshRe0VCq4kvDiPiXrPZAe8oRA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19191,14 +19097,14 @@
       }
     },
     "node_modules/@smithy/node-config-provider": {
-      "version": "4.3.7",
-      "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-4.3.7.tgz",
-      "integrity": "sha512-7r58wq8sdOcrwWe+klL9y3bc4GW1gnlfnFOuL7CXa7UzfhzhxKuzNdtqgzmTV+53lEp9NXh5hY/S4UgjLOzPfw==",
+      "version": "4.3.8",
+      "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-4.3.8.tgz",
+      "integrity": "sha512-aFP1ai4lrbVlWjfpAfRSL8KFcnJQYfTl5QxLJXY32vghJrDuFyPZ6LtUL+JEGYiFRG1PfPLHLoxj107ulncLIg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/shared-ini-file-loader": "^4.4.2",
-        "@smithy/types": "^4.11.0",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/shared-ini-file-loader": "^4.4.3",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19206,15 +19112,15 @@
       }
     },
     "node_modules/@smithy/node-http-handler": {
-      "version": "4.4.7",
-      "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-4.4.7.tgz",
-      "integrity": "sha512-NELpdmBOO6EpZtWgQiHjoShs1kmweaiNuETUpuup+cmm/xJYjT4eUjfhrXRP4jCOaAsS3c3yPsP3B+K+/fyPCQ==",
+      "version": "4.4.8",
+      "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-4.4.8.tgz",
+      "integrity": "sha512-q9u+MSbJVIJ1QmJ4+1u+cERXkrhuILCBDsJUBAW1MPE6sFonbCNaegFuwW9ll8kh5UdyY3jOkoOGlc7BesoLpg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/abort-controller": "^4.2.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/querystring-builder": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/abort-controller": "^4.2.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/querystring-builder": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19222,12 +19128,12 @@
       }
     },
     "node_modules/@smithy/property-provider": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-4.2.7.tgz",
-      "integrity": "sha512-jmNYKe9MGGPoSl/D7JDDs1C8b3dC8f/w78LbaVfoTtWy4xAd5dfjaFG9c9PWPihY4ggMQNQSMtzU77CNgAJwmA==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-4.2.8.tgz",
+      "integrity": "sha512-EtCTbyIveCKeOXDSWSdze3k612yCPq1YbXsbqX3UHhkOSW8zKsM9NOJG5gTIya0vbY2DIaieG8pKo1rITHYL0w==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19235,12 +19141,12 @@
       }
     },
     "node_modules/@smithy/protocol-http": {
-      "version": "5.3.7",
-      "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-5.3.7.tgz",
-      "integrity": "sha512-1r07pb994I20dD/c2seaZhoCuNYm0rWrvBxhCQ70brNh11M5Ml2ew6qJVo0lclB3jMIXirD4s2XRXRe7QEi0xA==",
+      "version": "5.3.8",
+      "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-5.3.8.tgz",
+      "integrity": "sha512-QNINVDhxpZ5QnP3aviNHQFlRogQZDfYlCkQT+7tJnErPQbDhysondEjhikuANxgMsZrkGeiAxXy4jguEGsDrWQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19248,12 +19154,12 @@
       }
     },
     "node_modules/@smithy/querystring-builder": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-4.2.7.tgz",
-      "integrity": "sha512-eKONSywHZxK4tBxe2lXEysh8wbBdvDWiA+RIuaxZSgCMmA0zMgoDpGLJhnyj+c0leOQprVnXOmcB4m+W9Rw7sg==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-4.2.8.tgz",
+      "integrity": "sha512-Xr83r31+DrE8CP3MqPgMJl+pQlLLmOfiEUnoyAlGzzJIrEsbKsPy1hqH0qySaQm4oWrCBlUqRt+idEgunKB+iw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-uri-escape": "^4.2.0",
         "tslib": "^2.6.2"
       },
@@ -19262,12 +19168,12 @@
       }
     },
     "node_modules/@smithy/querystring-parser": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-4.2.7.tgz",
-      "integrity": "sha512-3X5ZvzUHmlSTHAXFlswrS6EGt8fMSIxX/c3Rm1Pni3+wYWB6cjGocmRIoqcQF9nU5OgGmL0u7l9m44tSUpfj9w==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-4.2.8.tgz",
+      "integrity": "sha512-vUurovluVy50CUlazOiXkPq40KGvGWSdmusa3130MwrR1UNnNgKAlj58wlOe61XSHRpUfIIh6cE0zZ8mzKaDPA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19275,24 +19181,24 @@
       }
     },
     "node_modules/@smithy/service-error-classification": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-4.2.7.tgz",
-      "integrity": "sha512-YB7oCbukqEb2Dlh3340/8g8vNGbs/QsNNRms+gv3N2AtZz9/1vSBx6/6tpwQpZMEJFs7Uq8h4mmOn48ZZ72MkA==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-4.2.8.tgz",
+      "integrity": "sha512-mZ5xddodpJhEt3RkCjbmUQuXUOaPNTkbMGR0bcS8FE0bJDLMZlhmpgrvPNCYglVw5rsYTpSnv19womw9WWXKQQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0"
+        "@smithy/types": "^4.12.0"
       },
       "engines": {
         "node": ">=18.0.0"
       }
     },
     "node_modules/@smithy/shared-ini-file-loader": {
-      "version": "4.4.2",
-      "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-4.4.2.tgz",
-      "integrity": "sha512-M7iUUff/KwfNunmrgtqBfvZSzh3bmFgv/j/t1Y1dQ+8dNo34br1cqVEqy6v0mYEgi0DkGO7Xig0AnuOaEGVlcg==",
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-4.4.3.tgz",
+      "integrity": "sha512-DfQjxXQnzC5UbCUPeC3Ie8u+rIWZTvuDPAGU/BxzrOGhRvgUanaP68kDZA+jaT3ZI+djOf+4dERGlm9mWfFDrg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19300,16 +19206,16 @@
       }
     },
     "node_modules/@smithy/signature-v4": {
-      "version": "5.3.7",
-      "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-5.3.7.tgz",
-      "integrity": "sha512-9oNUlqBlFZFOSdxgImA6X5GFuzE7V2H7VG/7E70cdLhidFbdtvxxt81EHgykGK5vq5D3FafH//X+Oy31j3CKOg==",
+      "version": "5.3.8",
+      "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-5.3.8.tgz",
+      "integrity": "sha512-6A4vdGj7qKNRF16UIcO8HhHjKW27thsxYci+5r/uVRkdcBEkOEiY8OMPuydLX4QHSrJqGHPJzPRwwVTqbLZJhg==",
       "license": "Apache-2.0",
       "dependencies": {
         "@smithy/is-array-buffer": "^4.2.0",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-hex-encoding": "^4.2.0",
-        "@smithy/util-middleware": "^4.2.7",
+        "@smithy/util-middleware": "^4.2.8",
         "@smithy/util-uri-escape": "^4.2.0",
         "@smithy/util-utf8": "^4.2.0",
         "tslib": "^2.6.2"
@@ -19357,17 +19263,17 @@
       }
     },
     "node_modules/@smithy/smithy-client": {
-      "version": "4.10.2",
-      "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-4.10.2.tgz",
-      "integrity": "sha512-D5z79xQWpgrGpAHb054Fn2CCTQZpog7JELbVQ6XAvXs5MNKWf28U9gzSBlJkOyMl9LA1TZEjRtwvGXfP0Sl90g==",
+      "version": "4.10.8",
+      "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-4.10.8.tgz",
+      "integrity": "sha512-wcr3UEL26k7lLoyf9eVDZoD1nNY3Fa1gbNuOXvfxvVWLGkOVW+RYZgUUp/bXHryJfycIOQnBq9o1JAE00ax8HQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/core": "^3.20.0",
-        "@smithy/middleware-endpoint": "^4.4.1",
-        "@smithy/middleware-stack": "^4.2.7",
-        "@smithy/protocol-http": "^5.3.7",
-        "@smithy/types": "^4.11.0",
-        "@smithy/util-stream": "^4.5.8",
+        "@smithy/core": "^3.20.6",
+        "@smithy/middleware-endpoint": "^4.4.7",
+        "@smithy/middleware-stack": "^4.2.8",
+        "@smithy/protocol-http": "^5.3.8",
+        "@smithy/types": "^4.12.0",
+        "@smithy/util-stream": "^4.5.10",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19375,9 +19281,9 @@
       }
     },
     "node_modules/@smithy/types": {
-      "version": "4.11.0",
-      "resolved": "https://registry.npmjs.org/@smithy/types/-/types-4.11.0.tgz",
-      "integrity": "sha512-mlrmL0DRDVe3mNrjTcVcZEgkFmufITfUAPBEA+AHYiIeYyJebso/He1qLbP3PssRe22KUzLRpQSdBPbXdgZ2VA==",
+      "version": "4.12.0",
+      "resolved": "https://registry.npmjs.org/@smithy/types/-/types-4.12.0.tgz",
+      "integrity": "sha512-9YcuJVTOBDjg9LWo23Qp0lTQ3D7fQsQtwle0jVfpbUHy9qBwCEgKuVH4FqFB3VYu0nwdHKiEMA+oXz7oV8X1kw==",
       "license": "Apache-2.0",
       "dependencies": {
         "tslib": "^2.6.2"
@@ -19387,13 +19293,13 @@
       }
     },
     "node_modules/@smithy/url-parser": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-4.2.7.tgz",
-      "integrity": "sha512-/RLtVsRV4uY3qPWhBDsjwahAtt3x2IsMGnP5W1b2VZIe+qgCqkLxI1UOHDZp1Q1QSOrdOR32MF3Ph2JfWT1VHg==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-4.2.8.tgz",
+      "integrity": "sha512-NQho9U68TGMEU639YkXnVMV3GEFFULmmaWdlu1E9qzyIePOHsoSnagTGSDv1Zi8DCNN6btxOSdgmy5E/hsZwhA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/querystring-parser": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/querystring-parser": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19501,14 +19407,14 @@
       }
     },
     "node_modules/@smithy/util-defaults-mode-browser": {
-      "version": "4.3.16",
-      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-4.3.16.tgz",
-      "integrity": "sha512-/eiSP3mzY3TsvUOYMeL4EqUX6fgUOj2eUOU4rMMgVbq67TiRLyxT7Xsjxq0bW3OwuzK009qOwF0L2OgJqperAQ==",
+      "version": "4.3.22",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-4.3.22.tgz",
+      "integrity": "sha512-O2WXr6ZRqPnbyoepb7pKcLt1QL6uRfFzGYJ9sGb5hMJQi7v/4RjRmCQa9mNjA0YiXqsc5lBmLXqJPhjM1Vjv5A==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19516,17 +19422,17 @@
       }
     },
     "node_modules/@smithy/util-defaults-mode-node": {
-      "version": "4.2.19",
-      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-4.2.19.tgz",
-      "integrity": "sha512-3a4+4mhf6VycEJyHIQLypRbiwG6aJvbQAeRAVXydMmfweEPnLLabRbdyo/Pjw8Rew9vjsh5WCdhmDaHkQnhhhA==",
+      "version": "4.2.25",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-4.2.25.tgz",
+      "integrity": "sha512-7uMhppVNRbgNIpyUBVRfjGHxygP85wpXalRvn9DvUlCx4qgy1AB/uxOPSiDx/jFyrwD3/BypQhx1JK7f3yxrAw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/config-resolver": "^4.4.5",
-        "@smithy/credential-provider-imds": "^4.2.7",
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/property-provider": "^4.2.7",
-        "@smithy/smithy-client": "^4.10.2",
-        "@smithy/types": "^4.11.0",
+        "@smithy/config-resolver": "^4.4.6",
+        "@smithy/credential-provider-imds": "^4.2.8",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/property-provider": "^4.2.8",
+        "@smithy/smithy-client": "^4.10.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19534,13 +19440,13 @@
       }
     },
     "node_modules/@smithy/util-endpoints": {
-      "version": "3.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-3.2.7.tgz",
-      "integrity": "sha512-s4ILhyAvVqhMDYREeTS68R43B1V5aenV5q/V1QpRQJkCXib5BPRo4s7uNdzGtIKxaPHCfU/8YkvPAEvTpxgspg==",
+      "version": "3.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-3.2.8.tgz",
+      "integrity": "sha512-8JaVTn3pBDkhZgHQ8R0epwWt+BqPSLCjdjXXusK1onwJlRuN69fbvSK66aIKKO7SwVFM6x2J2ox5X8pOaWcUEw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/node-config-provider": "^4.3.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/node-config-provider": "^4.3.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19560,12 +19466,12 @@
       }
     },
     "node_modules/@smithy/util-middleware": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-4.2.7.tgz",
-      "integrity": "sha512-i1IkpbOae6NvIKsEeLLM9/2q4X+M90KV3oCFgWQI4q0Qz+yUZvsr+gZPdAEAtFhWQhAHpTsJO8DRJPuwVyln+w==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-4.2.8.tgz",
+      "integrity": "sha512-PMqfeJxLcNPMDgvPbbLl/2Vpin+luxqTGPpW3NAQVLbRrFRzTa4rNAASYeIGjRV9Ytuhzny39SpyU04EQreF+A==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.11.0",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19573,13 +19479,13 @@
       }
     },
     "node_modules/@smithy/util-retry": {
-      "version": "4.2.7",
-      "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-4.2.7.tgz",
-      "integrity": "sha512-SvDdsQyF5CIASa4EYVT02LukPHVzAgUA4kMAuZ97QJc2BpAqZfA4PINB8/KOoCXEw9tsuv/jQjMeaHFvxdLNGg==",
+      "version": "4.2.8",
+      "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-4.2.8.tgz",
+      "integrity": "sha512-CfJqwvoRY0kTGe5AkQokpURNCT1u/MkRzMTASWMPPo2hNSnKtF1D45dQl3DE2LKLr4m+PW9mCeBMJr5mCAVThg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/service-error-classification": "^4.2.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/service-error-classification": "^4.2.8",
+        "@smithy/types": "^4.12.0",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -19587,14 +19493,14 @@
       }
     },
     "node_modules/@smithy/util-stream": {
-      "version": "4.5.8",
-      "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-4.5.8.tgz",
-      "integrity": "sha512-ZnnBhTapjM0YPGUSmOs0Mcg/Gg87k503qG4zU2v/+Js2Gu+daKOJMeqcQns8ajepY8tgzzfYxl6kQyZKml6O2w==",
+      "version": "4.5.10",
+      "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-4.5.10.tgz",
+      "integrity": "sha512-jbqemy51UFSZSp2y0ZmRfckmrzuKww95zT9BYMmuJ8v3altGcqjwoV1tzpOwuHaKrwQrCjIzOib499ymr2f98g==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/fetch-http-handler": "^5.3.8",
-        "@smithy/node-http-handler": "^4.4.7",
-        "@smithy/types": "^4.11.0",
+        "@smithy/fetch-http-handler": "^5.3.9",
+        "@smithy/node-http-handler": "^4.4.8",
+        "@smithy/types": "^4.12.0",
         "@smithy/util-base64": "^4.3.0",
         "@smithy/util-buffer-from": "^4.2.0",
         "@smithy/util-hex-encoding": "^4.2.0",
@@ -23103,9 +23009,10 @@
       }
     },
     "node_modules/cjs-module-lexer": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-1.2.3.tgz",
-      "integrity": "sha512-0TNiGstbQmCFwt4akjjBg5pLRTSyj/PkWQ1ZoO2zntmg9yLqSRxwEa4iCfQLGjqhiqBfOJa7W/E8wfGrTDmlZQ=="
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-2.2.0.tgz",
+      "integrity": "sha512-4bHTS2YuzUvtoLjdy+98ykbNB5jS0+07EvFNXerqZQJ89F7DI6ET7OQo/HJuW6K0aVsKA9hj9/RVb2kQVOrPDQ==",
+      "license": "MIT"
     },
     "node_modules/class-variance-authority": {
       "version": "0.7.1",
@@ -25305,6 +25212,7 @@
       "version": "3.1.1",
       "resolved": "https://registry.npmjs.org/whatwg-encoding/-/whatwg-encoding-3.1.1.tgz",
       "integrity": "sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==",
+      "deprecated": "Use @exodus/bytes instead for a more spec-conformant and faster implementation",
       "license": "MIT",
       "dependencies": {
         "iconv-lite": "0.6.3"
@@ -28472,15 +28380,15 @@
       }
     },
     "node_modules/import-in-the-middle": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/import-in-the-middle/-/import-in-the-middle-2.0.0.tgz",
-      "integrity": "sha512-yNZhyQYqXpkT0AKq3F3KLasUSK4fHvebNH5hOsKQw2dhGSALvQ4U0BqUc5suziKvydO5u5hgN2hy1RJaho8U5A==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/import-in-the-middle/-/import-in-the-middle-2.0.4.tgz",
+      "integrity": "sha512-Al0kMpa0BqfvDnxjxGlab9vdQ0vTDs82TBKrD59X9jReUoPAzSGBb6vGDzMUMFBGyyDF03RpLT4oxGn6BpASzQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "acorn": "^8.14.0",
+        "acorn": "^8.15.0",
         "acorn-import-attributes": "^1.9.5",
-        "cjs-module-lexer": "^1.2.2",
-        "module-details-from-path": "^1.0.3"
+        "cjs-module-lexer": "^2.2.0",
+        "module-details-from-path": "^1.0.4"
       }
     },
     "node_modules/import-local": {
@@ -29932,13 +29840,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/jest/node_modules/cjs-module-lexer": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-2.1.1.tgz",
-      "integrity": "sha512-+CmxIZ/L2vNcEfvNtLdU0ZQ6mbq3FZnwAP2PPTiKP+1QOoKwlKlPgb8UKV0Dds7QVaMnHm+FwSft2VB0s/SLjQ==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/jest/node_modules/expect": {
       "version": "30.2.0",
       "resolved": "https://registry.npmjs.org/expect/-/expect-30.2.0.tgz",
@@ -32770,19 +32671,6 @@
         "uuid": "^11.1.0"
       }
     },
-    "node_modules/mermaid/node_modules/uuid": {
-      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
-      "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
-      "funding": [
-        "https://github.com/sponsors/broofa",
-        "https://github.com/sponsors/ctavan"
-      ],
-      "license": "MIT",
-      "bin": {
-        "uuid": "dist/esm/bin/uuid"
-      }
-    },
     "node_modules/methods": {
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
@@ -41632,15 +41520,16 @@
       }
     },
     "node_modules/uuid": {
-      "version": "9.0.1",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
-      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+      "version": "11.1.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
+      "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
       "funding": [
         "https://github.com/sponsors/broofa",
         "https://github.com/sponsors/ctavan"
       ],
+      "license": "MIT",
       "bin": {
-        "uuid": "dist/bin/uuid"
+        "uuid": "dist/esm/bin/uuid"
       }
     },
     "node_modules/v8-compile-cache-lib": {
@@ -43123,7 +43012,7 @@
       },
       "peerDependencies": {
         "@anthropic-ai/vertex-sdk": "^0.14.0",
-        "@aws-sdk/client-bedrock-runtime": "^3.941.0",
+        "@aws-sdk/client-bedrock-runtime": "^3.970.0",
         "@aws-sdk/client-s3": "^3.758.0",
         "@azure/identity": "^4.7.0",
         "@azure/search-documents": "^12.0.0",
@@ -43131,7 +43020,7 @@
         "@google/genai": "^1.19.0",
         "@keyv/redis": "^4.3.3",
         "@langchain/core": "^0.3.80",
-        "@librechat/agents": "^3.0.776",
+        "@librechat/agents": "^3.1.0",
         "@librechat/data-schemas": "*",
         "@modelcontextprotocol/sdk": "^1.25.2",
         "@smithy/node-http-handler": "^4.4.5",
diff --git a/packages/api/package.json b/packages/api/package.json
index c73c6431657b..c2439ad8f252 100644
--- a/packages/api/package.json
+++ b/packages/api/package.json
@@ -79,7 +79,7 @@
   },
   "peerDependencies": {
     "@anthropic-ai/vertex-sdk": "^0.14.0",
-    "@aws-sdk/client-bedrock-runtime": "^3.941.0",
+    "@aws-sdk/client-bedrock-runtime": "^3.970.0",
     "@aws-sdk/client-s3": "^3.758.0",
     "@azure/identity": "^4.7.0",
     "@azure/search-documents": "^12.0.0",
@@ -87,7 +87,7 @@
     "@google/genai": "^1.19.0",
     "@keyv/redis": "^4.3.3",
     "@langchain/core": "^0.3.80",
-    "@librechat/agents": "^3.0.776",
+    "@librechat/agents": "^3.1.0",
     "@librechat/data-schemas": "*",
     "@modelcontextprotocol/sdk": "^1.25.2",
     "@smithy/node-http-handler": "^4.4.5",
diff --git a/packages/api/src/agents/index.ts b/packages/api/src/agents/index.ts
index 77e7f9e2cc45..6539db3db197 100644
--- a/packages/api/src/agents/index.ts
+++ b/packages/api/src/agents/index.ts
@@ -6,6 +6,8 @@ export * from './initialize';
 export * from './legacy';
 export * from './memory';
 export * from './migration';
+export * from './openai';
 export * from './resources';
+export * from './responses';
 export * from './run';
 export * from './validation';
diff --git a/packages/api/src/agents/initialize.ts b/packages/api/src/agents/initialize.ts
index 2671b8d65f4e..dae58323b06d 100644
--- a/packages/api/src/agents/initialize.ts
+++ b/packages/api/src/agents/initialize.ts
@@ -1,5 +1,6 @@
 import { Providers } from '@librechat/agents';
 import {
+  Constants,
   ErrorTypes,
   EModelEndpoint,
   EToolResources,
@@ -10,16 +11,22 @@ import {
 } from 'librechat-data-provider';
 import type {
   AgentToolResources,
+  AgentToolOptions,
   TEndpointOption,
   TFile,
   Agent,
   TUser,
 } from 'librechat-data-provider';
+import type { GenericTool, LCToolRegistry, ToolMap } from '@librechat/agents';
 import type { Response as ServerResponse } from 'express';
 import type { IMongoFile } from '@librechat/data-schemas';
-import type { GenericTool } from '@librechat/agents';
 import type { InitializeResultBase, ServerRequest, EndpointDbMethods } from '~/types';
-import { getModelMaxTokens, extractLibreChatParams, optionalChainWithEmptyCheck } from '~/utils';
+import {
+  optionalChainWithEmptyCheck,
+  extractLibreChatParams,
+  getModelMaxTokens,
+  getThreadData,
+} from '~/utils';
 import { filterFilesByEndpointConfig } from '~/files';
 import { generateArtifactsPrompt } from '~/prompts';
 import { getProviderConfig } from '~/endpoints';
@@ -36,6 +43,12 @@ export type InitializedAgent = Agent & {
   useLegacyContent: boolean;
   resendFiles: boolean;
   userMCPAuthMap?: Record<string, Record<string, string>>;
+  /** Tool map for ToolNode to use when executing tools (required for PTC) */
+  toolMap?: ToolMap;
+  /** Tool registry for PTC and tool search (only present when MCP tools with env classification exist) */
+  toolRegistry?: LCToolRegistry;
+  /** Precomputed flag indicating if any tools have defer_loading enabled (for efficient runtime checks) */
+  hasDeferredTools?: boolean;
 };
 
 /**
@@ -51,6 +64,8 @@ export interface InitializeAgentParams {
   agent: Agent;
   /** Conversation ID (optional) */
   conversationId?: string | null;
+  /** Parent message ID for determining the current thread (optional) */
+  parentMessageId?: string | null;
   /** Request files */
   requestFiles?: IMongoFile[];
   /** Function to load agent tools */
@@ -61,11 +76,14 @@ export interface InitializeAgentParams {
     agentId: string;
     tools: string[];
     model: string | null;
+    tool_options: AgentToolOptions | undefined;
     tool_resources: AgentToolResources | undefined;
   }) => Promise<{
     tools: GenericTool[];
     toolContextMap: Record<string, unknown>;
     userMCPAuthMap?: Record<string, Record<string, string>>;
+    toolRegistry?: LCToolRegistry;
+    hasDeferredTools?: boolean;
   } | null>;
   /** Endpoint option (contains model_parameters and endpoint info) */
   endpointOption?: Partial<TEndpointOption>;
@@ -85,10 +103,23 @@ export interface InitializeAgentDbMethods extends EndpointDbMethods {
   updateFilesUsage: (files: Array<{ file_id: string }>, fileIds?: string[]) => Promise<unknown[]>;
   /** Get files from database */
   getFiles: (filter: unknown, sort: unknown, select: unknown, opts?: unknown) => Promise<unknown[]>;
-  /** Get tool files by IDs */
+  /** Get tool files by IDs (user-uploaded files only, code files handled separately) */
   getToolFilesByIds: (fileIds: string[], toolSet: Set<EToolResources>) => Promise<unknown[]>;
   /** Get conversation file IDs */
   getConvoFiles: (conversationId: string) => Promise<string[] | null>;
+  /** Get code-generated files by conversation ID and optional message IDs */
+  getCodeGeneratedFiles?: (conversationId: string, messageIds?: string[]) => Promise<unknown[]>;
+  /** Get user-uploaded execute_code files by file IDs (from message.files in thread) */
+  getUserCodeFiles?: (fileIds: string[]) => Promise<unknown[]>;
+  /** Get messages for a conversation (supports select for field projection) */
+  getMessages?: (
+    filter: { conversationId: string },
+    select?: string,
+  ) => Promise<Array<{
+    messageId: string;
+    parentMessageId?: string;
+    files?: Array<{ file_id: string }>;
+  }> | null>;
 }
 
 /**
@@ -115,6 +146,7 @@ export async function initializeAgent(
     requestFiles = [],
     conversationId,
     endpointOption,
+    parentMessageId,
     allowedProviders,
     isInitialAgent = false,
   } = params;
@@ -164,9 +196,51 @@ export async function initializeAgent(
         toolResourceSet.add(EToolResources[tool as keyof typeof EToolResources]);
       }
     }
+
     const toolFiles = (await db.getToolFilesByIds(fileIds, toolResourceSet)) as IMongoFile[];
-    if (requestFiles.length || toolFiles.length) {
-      currentFiles = (await db.updateFilesUsage(requestFiles.concat(toolFiles))) as IMongoFile[];
+
+    /**
+     * Retrieve execute_code files filtered to the current thread.
+     * This includes both code-generated files and user-uploaded execute_code files.
+     */
+    let codeGeneratedFiles: IMongoFile[] = [];
+    let userCodeFiles: IMongoFile[] = [];
+
+    if (toolResourceSet.has(EToolResources.execute_code)) {
+      let threadMessageIds: string[] | undefined;
+      let threadFileIds: string[] | undefined;
+
+      if (parentMessageId && parentMessageId !== Constants.NO_PARENT && db.getMessages) {
+        /** Only select fields needed for thread traversal */
+        const messages = await db.getMessages(
+          { conversationId },
+          'messageId parentMessageId files',
+        );
+        if (messages && messages.length > 0) {
+          /** Single O(n) pass: build Map, traverse thread, collect both IDs */
+          const threadData = getThreadData(messages, parentMessageId);
+          threadMessageIds = threadData.messageIds;
+          threadFileIds = threadData.fileIds;
+        }
+      }
+
+      /** Code-generated files (context: execute_code) filtered by messageId */
+      if (db.getCodeGeneratedFiles) {
+        codeGeneratedFiles = (await db.getCodeGeneratedFiles(
+          conversationId,
+          threadMessageIds,
+        )) as IMongoFile[];
+      }
+
+      /** User-uploaded execute_code files (context: agents/message_attachment) from thread messages */
+      if (db.getUserCodeFiles && threadFileIds && threadFileIds.length > 0) {
+        userCodeFiles = (await db.getUserCodeFiles(threadFileIds)) as IMongoFile[];
+      }
+    }
+
+    const allToolFiles = toolFiles.concat(codeGeneratedFiles, userCodeFiles);
+    if (requestFiles.length || allToolFiles.length) {
+      currentFiles = (await db.updateFilesUsage(requestFiles.concat(allToolFiles))) as IMongoFile[];
     }
   } else if (requestFiles.length) {
     currentFiles = (await db.updateFilesUsage(requestFiles)) as IMongoFile[];
@@ -201,6 +275,8 @@ export async function initializeAgent(
     tools: structuredTools,
     toolContextMap,
     userMCPAuthMap,
+    toolRegistry,
+    hasDeferredTools,
   } = (await loadTools?.({
     req,
     res,
@@ -208,8 +284,15 @@ export async function initializeAgent(
     agentId: agent.id,
     tools: agent.tools ?? [],
     model: agent.model,
+    tool_options: agent.tool_options,
     tool_resources,
-  })) ?? { tools: [], toolContextMap: {}, userMCPAuthMap: undefined };
+  })) ?? {
+    tools: [],
+    toolContextMap: {},
+    userMCPAuthMap: undefined,
+    toolRegistry: undefined,
+    hasDeferredTools: false,
+  };
 
   const { getOptions, overrideProvider } = getProviderConfig({
     provider,
@@ -312,6 +395,8 @@ export async function initializeAgent(
     attachments: finalAttachments,
     resendFiles,
     userMCPAuthMap,
+    toolRegistry,
+    hasDeferredTools,
     toolContextMap: toolContextMap ?? {},
     useLegacyContent: !!options.useLegacyContent,
     maxContextTokens: Math.round((agentMaxContextNum - maxOutputTokensNum) * 0.9),
diff --git a/packages/api/src/agents/openai/handlers.ts b/packages/api/src/agents/openai/handlers.ts
new file mode 100644
index 000000000000..f4e4dff3d2fb
--- /dev/null
+++ b/packages/api/src/agents/openai/handlers.ts
@@ -0,0 +1,454 @@
+/**
+ * OpenAI-compatible event handlers for agent streaming.
+ *
+ * These handlers convert LibreChat's internal graph events into OpenAI-compatible
+ * streaming format (SSE with chat.completion.chunk objects).
+ */
+import type { Response as ServerResponse } from 'express';
+import type {
+  ChatCompletionChunkChoice,
+  OpenAIResponseContext,
+  ChatCompletionChunk,
+  CompletionUsage,
+  ToolCall,
+} from './types';
+
+/**
+ * Create a chat completion chunk in OpenAI format
+ */
+export function createChunk(
+  context: OpenAIResponseContext,
+  delta: ChatCompletionChunkChoice['delta'],
+  finishReason: ChatCompletionChunkChoice['finish_reason'] = null,
+  usage?: CompletionUsage,
+): ChatCompletionChunk {
+  return {
+    id: context.requestId,
+    object: 'chat.completion.chunk',
+    created: context.created,
+    model: context.model,
+    choices: [
+      {
+        index: 0,
+        delta,
+        finish_reason: finishReason,
+      },
+    ],
+    ...(usage && { usage }),
+  };
+}
+
+/**
+ * Write an SSE event to the response
+ */
+export function writeSSE(res: ServerResponse, data: ChatCompletionChunk | string): void {
+  if (typeof data === 'string') {
+    res.write(`data: ${data}\n\n`);
+  } else {
+    res.write(`data: ${JSON.stringify(data)}\n\n`);
+  }
+}
+
+/**
+ * Lightweight tracker for streaming responses.
+ * Only tracks what's needed for finish_reason and usage - doesn't store content.
+ */
+export interface OpenAIStreamTracker {
+  /** Whether any text content was emitted */
+  hasText: boolean;
+  /** Whether any reasoning content was emitted */
+  hasReasoning: boolean;
+  /** Accumulated tool calls by index */
+  toolCalls: Map<number, ToolCall>;
+  /** Accumulated usage metadata */
+  usage: {
+    promptTokens: number;
+    completionTokens: number;
+    reasoningTokens: number;
+  };
+  /** Mark that text was emitted */
+  addText: () => void;
+  /** Mark that reasoning was emitted */
+  addReasoning: () => void;
+}
+
+/**
+ * Create a lightweight stream tracker (doesn't store content)
+ */
+export function createOpenAIStreamTracker(): OpenAIStreamTracker {
+  const tracker: OpenAIStreamTracker = {
+    hasText: false,
+    hasReasoning: false,
+    toolCalls: new Map(),
+    usage: {
+      promptTokens: 0,
+      completionTokens: 0,
+      reasoningTokens: 0,
+    },
+    addText: () => {
+      tracker.hasText = true;
+    },
+    addReasoning: () => {
+      tracker.hasReasoning = true;
+    },
+  };
+  return tracker;
+}
+
+/**
+ * Content aggregator for non-streaming responses.
+ * Accumulates full text content, reasoning, and tool calls.
+ * Uses arrays for O(n) text accumulation instead of O(n²) string concatenation.
+ */
+export interface OpenAIContentAggregator {
+  /** Accumulated text chunks */
+  textChunks: string[];
+  /** Accumulated reasoning/thinking chunks */
+  reasoningChunks: string[];
+  /** Accumulated tool calls by index */
+  toolCalls: Map<number, ToolCall>;
+  /** Accumulated usage metadata */
+  usage: {
+    promptTokens: number;
+    completionTokens: number;
+    reasoningTokens: number;
+  };
+  /** Get accumulated text (joins chunks) */
+  getText: () => string;
+  /** Get accumulated reasoning (joins chunks) */
+  getReasoning: () => string;
+  /** Add text chunk */
+  addText: (text: string) => void;
+  /** Add reasoning chunk */
+  addReasoning: (text: string) => void;
+}
+
+/**
+ * Create a content aggregator for non-streaming responses
+ */
+export function createOpenAIContentAggregator(): OpenAIContentAggregator {
+  const textChunks: string[] = [];
+  const reasoningChunks: string[] = [];
+
+  return {
+    textChunks,
+    reasoningChunks,
+    toolCalls: new Map(),
+    usage: {
+      promptTokens: 0,
+      completionTokens: 0,
+      reasoningTokens: 0,
+    },
+    getText: () => textChunks.join(''),
+    getReasoning: () => reasoningChunks.join(''),
+    addText: (text: string) => textChunks.push(text),
+    addReasoning: (text: string) => reasoningChunks.push(text),
+  };
+}
+
+/**
+ * Handler configuration for OpenAI streaming
+ */
+export interface OpenAIStreamHandlerConfig {
+  res: ServerResponse;
+  context: OpenAIResponseContext;
+  tracker: OpenAIStreamTracker;
+}
+
+/**
+ * Graph event types from @librechat/agents
+ */
+export const GraphEvents = {
+  CHAT_MODEL_END: 'on_chat_model_end',
+  TOOL_END: 'on_tool_end',
+  CHAT_MODEL_STREAM: 'on_chat_model_stream',
+  ON_RUN_STEP: 'on_run_step',
+  ON_RUN_STEP_DELTA: 'on_run_step_delta',
+  ON_RUN_STEP_COMPLETED: 'on_run_step_completed',
+  ON_MESSAGE_DELTA: 'on_message_delta',
+  ON_REASONING_DELTA: 'on_reasoning_delta',
+} as const;
+
+/**
+ * Step types from librechat-data-provider
+ */
+export const StepTypes = {
+  MESSAGE_CREATION: 'message_creation',
+  TOOL_CALLS: 'tool_calls',
+} as const;
+
+/**
+ * Event data interfaces
+ */
+export interface MessageDeltaData {
+  id?: string;
+  content?: Array<{ type: string; text?: string }>;
+}
+
+export interface RunStepDeltaData {
+  id?: string;
+  delta?: {
+    type?: string;
+    tool_calls?: Array<{
+      index?: number;
+      id?: string;
+      type?: string;
+      function?: {
+        name?: string;
+        arguments?: string;
+      };
+    }>;
+  };
+}
+
+export interface ToolEndData {
+  output?: {
+    name?: string;
+    tool_call_id?: string;
+    content?: string;
+  };
+}
+
+export interface ModelEndData {
+  output?: {
+    usage_metadata?: {
+      input_tokens?: number;
+      output_tokens?: number;
+      model?: string;
+    };
+  };
+}
+
+/**
+ * Event handler interface
+ */
+export interface EventHandler {
+  handle(
+    event: string,
+    data: unknown,
+    metadata?: Record<string, unknown>,
+    graph?: unknown,
+  ): void | Promise<void>;
+}
+
+/**
+ * Handler for message delta events - streams text content
+ */
+export class OpenAIMessageDeltaHandler implements EventHandler {
+  constructor(private config: OpenAIStreamHandlerConfig) {}
+
+  handle(_event: string, data: MessageDeltaData): void {
+    const content = data?.content;
+    if (!content || !Array.isArray(content)) {
+      return;
+    }
+
+    for (const part of content) {
+      if (part.type === 'text' && part.text) {
+        this.config.tracker.addText();
+        const chunk = createChunk(this.config.context, { content: part.text });
+        writeSSE(this.config.res, chunk);
+      }
+    }
+  }
+}
+
+/**
+ * Handler for run step delta events - streams tool calls
+ */
+export class OpenAIRunStepDeltaHandler implements EventHandler {
+  constructor(private config: OpenAIStreamHandlerConfig) {}
+
+  handle(_event: string, data: RunStepDeltaData): void {
+    const delta = data?.delta;
+    if (!delta || delta.type !== StepTypes.TOOL_CALLS) {
+      return;
+    }
+
+    const toolCalls = delta.tool_calls;
+    if (!toolCalls || !Array.isArray(toolCalls)) {
+      return;
+    }
+
+    for (const tc of toolCalls) {
+      if (tc.index === undefined) {
+        continue;
+      }
+
+      // Initialize tool call in tracker if needed
+      let trackedTc = this.config.tracker.toolCalls.get(tc.index);
+      if (!trackedTc && tc.id) {
+        trackedTc = {
+          id: tc.id,
+          type: 'function',
+          function: {
+            name: '',
+            arguments: '',
+          },
+        };
+        this.config.tracker.toolCalls.set(tc.index, trackedTc);
+      }
+
+      // Build the streaming delta
+      const streamDelta: ChatCompletionChunkChoice['delta'] = {
+        tool_calls: [
+          {
+            index: tc.index,
+            ...(tc.id && { id: tc.id }),
+            ...(tc.type && { type: tc.type as 'function' }),
+            ...(tc.function && {
+              function: {
+                ...(tc.function.name && { name: tc.function.name }),
+                ...(tc.function.arguments && { arguments: tc.function.arguments }),
+              },
+            }),
+          },
+        ],
+      };
+
+      // Update tracked tool call
+      if (trackedTc) {
+        if (tc.function?.name) {
+          trackedTc.function.name += tc.function.name;
+        }
+        if (tc.function?.arguments) {
+          trackedTc.function.arguments += tc.function.arguments;
+        }
+      }
+
+      const chunk = createChunk(this.config.context, streamDelta);
+      writeSSE(this.config.res, chunk);
+    }
+  }
+}
+
+/**
+ * Handler for run step events - sends initial tool call info
+ */
+export class OpenAIRunStepHandler implements EventHandler {
+  constructor(private config: OpenAIStreamHandlerConfig) {}
+
+  handle(_event: string, data: { stepDetails?: { type?: string } }): void {
+    // Run step events are primarily for LibreChat UI, we use deltas for streaming
+    // This handler is a no-op for OpenAI format
+    if (data?.stepDetails?.type === StepTypes.TOOL_CALLS) {
+      // Tool calls will be streamed via delta events
+    }
+  }
+}
+
+/**
+ * Handler for model end events - captures usage
+ */
+export class OpenAIModelEndHandler implements EventHandler {
+  constructor(private config: OpenAIStreamHandlerConfig) {}
+
+  handle(_event: string, data: ModelEndData): void {
+    const usage = data?.output?.usage_metadata;
+    if (!usage) {
+      return;
+    }
+
+    this.config.tracker.usage.promptTokens += usage.input_tokens ?? 0;
+    this.config.tracker.usage.completionTokens += usage.output_tokens ?? 0;
+  }
+}
+
+/**
+ * Handler for chat model stream events
+ */
+export class OpenAIChatModelStreamHandler implements EventHandler {
+  handle(): void {
+    // Handled by message delta handler
+  }
+}
+
+/**
+ * Handler for tool end events
+ */
+export class OpenAIToolEndHandler implements EventHandler {
+  handle(): void {
+    // Tool results don't need to be streamed in OpenAI format
+    // They're used internally by the agent
+  }
+}
+
+/**
+ * Handler for reasoning delta events.
+ * Streams reasoning/thinking content using the `delta.reasoning` field (OpenRouter convention).
+ */
+export class OpenAIReasoningDeltaHandler implements EventHandler {
+  constructor(private config: OpenAIStreamHandlerConfig) {}
+
+  handle(_event: string, data: MessageDeltaData): void {
+    const content = data?.content;
+    if (!content || !Array.isArray(content)) {
+      return;
+    }
+
+    for (const part of content) {
+      if (part.type === 'text' && part.text) {
+        // Mark that reasoning was emitted
+        this.config.tracker.addReasoning();
+
+        // Stream as delta.reasoning (OpenRouter convention)
+        const chunk = createChunk(this.config.context, { reasoning: part.text });
+        writeSSE(this.config.res, chunk);
+      }
+    }
+  }
+}
+
+/**
+ * Create all handlers for OpenAI streaming format
+ */
+export function createOpenAIHandlers(
+  config: OpenAIStreamHandlerConfig,
+): Record<string, EventHandler> {
+  return {
+    [GraphEvents.ON_MESSAGE_DELTA]: new OpenAIMessageDeltaHandler(config),
+    [GraphEvents.ON_RUN_STEP_DELTA]: new OpenAIRunStepDeltaHandler(config),
+    [GraphEvents.ON_RUN_STEP]: new OpenAIRunStepHandler(config),
+    [GraphEvents.ON_RUN_STEP_COMPLETED]: new OpenAIRunStepHandler(config),
+    [GraphEvents.CHAT_MODEL_END]: new OpenAIModelEndHandler(config),
+    [GraphEvents.CHAT_MODEL_STREAM]: new OpenAIChatModelStreamHandler(),
+    [GraphEvents.TOOL_END]: new OpenAIToolEndHandler(),
+    [GraphEvents.ON_REASONING_DELTA]: new OpenAIReasoningDeltaHandler(config),
+  };
+}
+
+/**
+ * Send the final chunk with finish_reason and optional usage
+ */
+export function sendFinalChunk(
+  config: OpenAIStreamHandlerConfig,
+  finishReason: ChatCompletionChunkChoice['finish_reason'] = 'stop',
+): void {
+  const { res, context, tracker } = config;
+
+  // Determine finish reason based on content
+  let reason = finishReason;
+  if (tracker.toolCalls.size > 0 && !tracker.hasText) {
+    reason = 'tool_calls';
+  }
+
+  // Build usage object with reasoning token details (OpenRouter/OpenAI convention)
+  const usage: CompletionUsage = {
+    prompt_tokens: tracker.usage.promptTokens,
+    completion_tokens: tracker.usage.completionTokens,
+    total_tokens: tracker.usage.promptTokens + tracker.usage.completionTokens,
+  };
+
+  // Add reasoning token breakdown if there are reasoning tokens
+  if (tracker.usage.reasoningTokens > 0) {
+    usage.completion_tokens_details = {
+      reasoning_tokens: tracker.usage.reasoningTokens,
+    };
+  }
+
+  const finalChunk = createChunk(context, {}, reason, usage);
+  writeSSE(res, finalChunk);
+
+  // Send [DONE] marker
+  writeSSE(res, '[DONE]');
+}
diff --git a/packages/api/src/agents/openai/index.ts b/packages/api/src/agents/openai/index.ts
new file mode 100644
index 000000000000..3a0a01610834
--- /dev/null
+++ b/packages/api/src/agents/openai/index.ts
@@ -0,0 +1,52 @@
+/**
+ * OpenAI-compatible API for LibreChat agents.
+ *
+ * This module provides an OpenAI v1/chat/completions compatible interface
+ * for interacting with LibreChat agents remotely via API.
+ *
+ * @example
+ * ```typescript
+ * import { createAgentChatCompletion, listAgentModels } from '@librechat/api';
+ *
+ * // POST /v1/chat/completions
+ * app.post('/v1/chat/completions', async (req, res) => {
+ *   await createAgentChatCompletion(req, res, dependencies);
+ * });
+ *
+ * // GET /v1/models
+ * app.get('/v1/models', async (req, res) => {
+ *   await listAgentModels(req, res, { getAgents });
+ * });
+ * ```
+ *
+ * Request format:
+ * ```json
+ * {
+ *   "model": "agent_id_here",
+ *   "messages": [
+ *     {"role": "user", "content": "Hello!"}
+ *   ],
+ *   "stream": true
+ * }
+ * ```
+ *
+ * The "model" parameter should be the agent ID you want to invoke.
+ * Use the /v1/models endpoint to list available agents.
+ */
+
+export * from './types';
+export * from './handlers';
+export {
+  createAgentChatCompletion,
+  listAgentModels,
+  convertMessages,
+  validateRequest,
+  isChatCompletionValidationFailure,
+  createErrorResponse,
+  sendErrorResponse,
+  buildNonStreamingResponse,
+  type ChatCompletionDependencies,
+  type ChatCompletionValidationResult,
+  type ChatCompletionValidationSuccess,
+  type ChatCompletionValidationFailure,
+} from './service';
diff --git a/packages/api/src/agents/openai/service.ts b/packages/api/src/agents/openai/service.ts
new file mode 100644
index 000000000000..3213e0123f19
--- /dev/null
+++ b/packages/api/src/agents/openai/service.ts
@@ -0,0 +1,554 @@
+/**
+ * OpenAI-compatible chat completions service for agents.
+ *
+ * This service provides an OpenAI v1/chat/completions compatible API for
+ * interacting with LibreChat agents. The agent_id is passed as the "model"
+ * parameter per OpenAI spec.
+ *
+ * Usage:
+ * ```typescript
+ * import { createAgentChatCompletion } from '@librechat/api';
+ *
+ * // In your Express route handler:
+ * app.post('/v1/chat/completions', async (req, res) => {
+ *   await createAgentChatCompletion(req, res, {
+ *     getAgent: db.getAgent,
+ *     // ... other dependencies
+ *   });
+ * });
+ * ```
+ */
+import { nanoid } from 'nanoid';
+import type { Response as ServerResponse, Request } from 'express';
+import type {
+  ChatCompletionResponse,
+  OpenAIResponseContext,
+  ChatCompletionRequest,
+  OpenAIErrorResponse,
+  CompletionUsage,
+  ChatMessage,
+  ToolCall,
+} from './types';
+import type { OpenAIStreamHandlerConfig, EventHandler } from './handlers';
+import {
+  createOpenAIContentAggregator,
+  createOpenAIStreamTracker,
+  createOpenAIHandlers,
+  sendFinalChunk,
+  createChunk,
+  writeSSE,
+} from './handlers';
+
+/**
+ * Dependencies for the chat completion service
+ */
+export interface ChatCompletionDependencies {
+  /** Get agent by ID */
+  getAgent: (params: { id: string }) => Promise<Agent | null>;
+  /** Initialize agent for use */
+  initializeAgent: (params: InitializeAgentParams) => Promise<InitializedAgent>;
+  /** Load agent tools */
+  loadAgentTools?: LoadToolsFn;
+  /** Get models config */
+  getModelsConfig?: (req: Request) => Promise<unknown>;
+  /** Validate agent model */
+  validateAgentModel?: (
+    params: unknown,
+  ) => Promise<{ isValid: boolean; error?: { message: string } }>;
+  /** Log violation */
+  logViolation?: (
+    req: Request,
+    res: ServerResponse,
+    type: string,
+    info: unknown,
+    score: number,
+  ) => Promise<void>;
+  /** Create agent run */
+  createRun?: CreateRunFn;
+  /** App config */
+  appConfig?: AppConfig;
+}
+
+/**
+ * Agent type from librechat-data-provider
+ */
+interface Agent {
+  id: string;
+  name?: string;
+  model?: string;
+  provider: string;
+  tools?: string[];
+  instructions?: string;
+  model_parameters?: Record<string, unknown>;
+  tool_resources?: Record<string, unknown>;
+  tool_options?: Record<string, unknown>;
+  [key: string]: unknown;
+}
+
+/**
+ * Initialized agent type - note: after initialization, tools become structured tool objects
+ */
+interface InitializedAgent {
+  id: string;
+  name?: string;
+  model?: string;
+  provider: string;
+  /** After initialization, tools are structured tool objects, not strings */
+  tools: unknown[];
+  instructions?: string;
+  model_parameters?: Record<string, unknown>;
+  tool_resources?: Record<string, unknown>;
+  tool_options?: Record<string, unknown>;
+  attachments: unknown[];
+  toolContextMap: Record<string, unknown>;
+  maxContextTokens: number;
+  userMCPAuthMap?: Record<string, Record<string, string>>;
+  [key: string]: unknown;
+}
+
+/**
+ * Initialize agent params
+ */
+interface InitializeAgentParams {
+  req: Request;
+  res: ServerResponse;
+  agent: Agent;
+  conversationId?: string | null;
+  parentMessageId?: string | null;
+  requestFiles?: unknown[];
+  loadTools?: LoadToolsFn;
+  endpointOption?: Record<string, unknown>;
+  allowedProviders: Set<string>;
+  isInitialAgent?: boolean;
+}
+
+/**
+ * Tool loading function type
+ */
+type LoadToolsFn = (params: {
+  req: Request;
+  res: ServerResponse;
+  provider: string;
+  agentId: string;
+  tools: string[];
+  model: string | null;
+  tool_options: unknown;
+  tool_resources: unknown;
+}) => Promise<{
+  tools: unknown[];
+  toolContextMap: Record<string, unknown>;
+  userMCPAuthMap?: Record<string, Record<string, string>>;
+} | null>;
+
+/**
+ * Create run function type
+ */
+type CreateRunFn = (params: {
+  agents: unknown[];
+  messages: unknown[];
+  runId: string;
+  signal: AbortSignal;
+  customHandlers: Record<string, EventHandler>;
+  requestBody: Record<string, unknown>;
+  user: Record<string, unknown>;
+  tokenCounter?: (message: unknown) => number;
+}) => Promise<{
+  Graph?: unknown;
+  processStream: (
+    input: { messages: unknown[] },
+    config: Record<string, unknown>,
+    options: Record<string, unknown>,
+  ) => Promise<void>;
+} | null>;
+
+/**
+ * App config type
+ */
+interface AppConfig {
+  endpoints?: Record<string, unknown>;
+  [key: string]: unknown;
+}
+
+/**
+ * Convert OpenAI messages to LibreChat format
+ */
+export function convertMessages(messages: ChatMessage[]): unknown[] {
+  return messages.map((msg) => {
+    let content: string | unknown[];
+    if (typeof msg.content === 'string') {
+      content = msg.content;
+    } else if (msg.content) {
+      content = msg.content.map((part) => {
+        if (part.type === 'text') {
+          return { type: 'text', text: part.text };
+        }
+        if (part.type === 'image_url') {
+          return { type: 'image_url', image_url: part.image_url };
+        }
+        return part;
+      });
+    } else {
+      content = '';
+    }
+
+    return {
+      role: msg.role,
+      content,
+      ...(msg.name && { name: msg.name }),
+      ...(msg.tool_calls && { tool_calls: msg.tool_calls }),
+      ...(msg.tool_call_id && { tool_call_id: msg.tool_call_id }),
+    };
+  });
+}
+
+/**
+ * Create an error response in OpenAI format
+ */
+export function createErrorResponse(
+  message: string,
+  type = 'invalid_request_error',
+  code: string | null = null,
+): OpenAIErrorResponse {
+  return {
+    error: {
+      message,
+      type,
+      param: null,
+      code,
+    },
+  };
+}
+
+/**
+ * Send an error response
+ */
+export function sendErrorResponse(
+  res: ServerResponse,
+  statusCode: number,
+  message: string,
+  type = 'invalid_request_error',
+  code: string | null = null,
+): void {
+  res.status(statusCode).json(createErrorResponse(message, type, code));
+}
+
+/**
+ * Validation result types for chat completion requests
+ */
+export type ChatCompletionValidationSuccess = { valid: true; request: ChatCompletionRequest };
+export type ChatCompletionValidationFailure = { valid: false; error: string };
+export type ChatCompletionValidationResult =
+  | ChatCompletionValidationSuccess
+  | ChatCompletionValidationFailure;
+
+/**
+ * Type guard for validation failure
+ */
+export function isChatCompletionValidationFailure(
+  result: ChatCompletionValidationResult,
+): result is ChatCompletionValidationFailure {
+  return !result.valid;
+}
+
+/**
+ * Validate the chat completion request
+ */
+export function validateRequest(body: unknown): ChatCompletionValidationResult {
+  if (!body || typeof body !== 'object') {
+    return { valid: false, error: 'Request body is required' };
+  }
+
+  const request = body as Record<string, unknown>;
+
+  if (!request.model || typeof request.model !== 'string') {
+    return { valid: false, error: 'model (agent_id) is required' };
+  }
+
+  if (!request.messages || !Array.isArray(request.messages)) {
+    return { valid: false, error: 'messages array is required' };
+  }
+
+  if (request.messages.length === 0) {
+    return { valid: false, error: 'messages array cannot be empty' };
+  }
+
+  // Validate each message has role and content
+  for (let i = 0; i < request.messages.length; i++) {
+    const msg = request.messages[i] as Record<string, unknown>;
+    if (!msg.role || typeof msg.role !== 'string') {
+      return { valid: false, error: `messages[${i}].role is required` };
+    }
+    if (!['system', 'user', 'assistant', 'tool'].includes(msg.role)) {
+      return {
+        valid: false,
+        error: `messages[${i}].role must be one of: system, user, assistant, tool`,
+      };
+    }
+  }
+
+  return { valid: true, request: request as unknown as ChatCompletionRequest };
+}
+
+/**
+ * Build a non-streaming response from aggregated content
+ */
+export function buildNonStreamingResponse(
+  context: OpenAIResponseContext,
+  text: string,
+  reasoning: string,
+  toolCalls: Map<number, ToolCall>,
+  usage: CompletionUsage,
+): ChatCompletionResponse {
+  const toolCallsArray = Array.from(toolCalls.values());
+  const finishReason = toolCallsArray.length > 0 && !text ? 'tool_calls' : 'stop';
+
+  return {
+    id: context.requestId,
+    object: 'chat.completion',
+    created: context.created,
+    model: context.model,
+    choices: [
+      {
+        index: 0,
+        message: {
+          role: 'assistant',
+          content: text || null,
+          ...(reasoning && { reasoning }),
+          ...(toolCallsArray.length > 0 && { tool_calls: toolCallsArray }),
+        },
+        finish_reason: finishReason,
+      },
+    ],
+    usage,
+  };
+}
+
+/**
+ * Main handler for OpenAI-compatible chat completions with agents.
+ *
+ * This function:
+ * 1. Validates the request
+ * 2. Looks up the agent by ID (model parameter)
+ * 3. Initializes the agent with tools
+ * 4. Runs the agent and streams/returns the response
+ *
+ * @param req - Express request object
+ * @param res - Express response object
+ * @param deps - Dependencies for the service
+ */
+export async function createAgentChatCompletion(
+  req: Request,
+  res: ServerResponse,
+  deps: ChatCompletionDependencies,
+): Promise<void> {
+  // Validate request
+  const validation = validateRequest(req.body);
+  if (isChatCompletionValidationFailure(validation)) {
+    sendErrorResponse(res, 400, validation.error);
+    return;
+  }
+
+  const request = validation.request;
+  const agentId = request.model;
+  const requestedStreaming = request.stream === true;
+
+  // Look up the agent
+  const agent = await deps.getAgent({ id: agentId });
+  if (!agent) {
+    sendErrorResponse(
+      res,
+      404,
+      `Agent not found: ${agentId}`,
+      'invalid_request_error',
+      'model_not_found',
+    );
+    return;
+  }
+
+  // Generate IDs
+  const requestId = `chatcmpl-${nanoid()}`;
+  const conversationId = request.conversation_id ?? nanoid();
+  const created = Math.floor(Date.now() / 1000);
+
+  // Build response context
+  const context: OpenAIResponseContext = {
+    created,
+    requestId,
+    model: agentId,
+  };
+
+  // Set up abort controller
+  const abortController = new AbortController();
+
+  // Handle client disconnect
+  req.on('close', () => {
+    abortController.abort();
+  });
+
+  try {
+    // Build allowed providers set (empty = all allowed)
+    const allowedProviders = new Set<string>();
+
+    // Initialize the agent first to check for disableStreaming
+    const initializedAgent = await deps.initializeAgent({
+      req,
+      res,
+      agent,
+      conversationId,
+      parentMessageId: request.parent_message_id,
+      loadTools: deps.loadAgentTools,
+      endpointOption: {
+        endpoint: agent.provider,
+        model_parameters: agent.model_parameters ?? {},
+      },
+      allowedProviders,
+      isInitialAgent: true,
+    });
+
+    // Determine if streaming is enabled (check both request and agent config)
+    const streamingDisabled = !!(initializedAgent.model_parameters as Record<string, unknown>)
+      ?.disableStreaming;
+    const isStreaming = requestedStreaming && !streamingDisabled;
+
+    // Create tracker for streaming or aggregator for non-streaming
+    const tracker = isStreaming ? createOpenAIStreamTracker() : null;
+    const aggregator = isStreaming ? null : createOpenAIContentAggregator();
+
+    // Set up response headers for streaming
+    if (isStreaming) {
+      res.setHeader('Content-Type', 'text/event-stream');
+      res.setHeader('Cache-Control', 'no-cache');
+      res.setHeader('Connection', 'keep-alive');
+      res.setHeader('X-Accel-Buffering', 'no');
+      res.flushHeaders();
+
+      // Send initial chunk with role
+      const initialChunk = createChunk(context, { role: 'assistant' });
+      writeSSE(res, initialChunk);
+    }
+
+    // Create handler config (only used for streaming)
+    const handlerConfig: OpenAIStreamHandlerConfig | null =
+      isStreaming && tracker
+        ? {
+            res,
+            context,
+            tracker,
+          }
+        : null;
+
+    // Create event handlers
+    const eventHandlers = isStreaming && handlerConfig ? createOpenAIHandlers(handlerConfig) : {};
+
+    // Convert messages to internal format
+    const messages = convertMessages(request.messages);
+
+    // Create and run the agent
+    if (deps.createRun) {
+      const userId = (req as unknown as { user?: { id?: string } }).user?.id ?? 'api-user';
+
+      const run = await deps.createRun({
+        agents: [initializedAgent],
+        messages,
+        runId: requestId,
+        signal: abortController.signal,
+        customHandlers: eventHandlers,
+        requestBody: {
+          messageId: requestId,
+          conversationId,
+        },
+        user: { id: userId },
+      });
+
+      if (run) {
+        await run.processStream(
+          { messages },
+          {
+            runName: 'AgentRun',
+            configurable: {
+              thread_id: conversationId,
+              user_id: userId,
+            },
+            signal: abortController.signal,
+            streamMode: 'values',
+            version: 'v2',
+          },
+          {},
+        );
+      }
+    }
+
+    // Finalize response
+    if (isStreaming && handlerConfig) {
+      sendFinalChunk(handlerConfig);
+      res.end();
+    } else if (aggregator) {
+      // Build and send non-streaming response
+      const usage: CompletionUsage = {
+        prompt_tokens: aggregator.usage.promptTokens,
+        completion_tokens: aggregator.usage.completionTokens,
+        total_tokens: aggregator.usage.promptTokens + aggregator.usage.completionTokens,
+        ...(aggregator.usage.reasoningTokens > 0 && {
+          completion_tokens_details: { reasoning_tokens: aggregator.usage.reasoningTokens },
+        }),
+      };
+      const response = buildNonStreamingResponse(
+        context,
+        aggregator.getText(),
+        aggregator.getReasoning(),
+        aggregator.toolCalls,
+        usage,
+      );
+      res.json(response);
+    }
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'An error occurred';
+
+    // Check if we already started streaming (headers sent)
+    if (res.headersSent) {
+      // Headers already sent, try to send error in stream format
+      const errorChunk = createChunk(context, { content: `\n\nError: ${errorMessage}` }, 'stop');
+      writeSSE(res, errorChunk);
+      writeSSE(res, '[DONE]');
+      res.end();
+    } else {
+      sendErrorResponse(res, 500, errorMessage, 'server_error');
+    }
+  }
+}
+
+/**
+ * List available agents/models
+ *
+ * This provides a /v1/models compatible endpoint that lists available agents.
+ */
+export async function listAgentModels(
+  _req: Request,
+  res: ServerResponse,
+  deps: { getAgents: (params: Record<string, unknown>) => Promise<Agent[]> },
+): Promise<void> {
+  try {
+    const agents = await deps.getAgents({});
+
+    const models = agents.map((agent) => ({
+      id: agent.id,
+      object: 'model',
+      created: Math.floor(Date.now() / 1000),
+      owned_by: 'librechat',
+      permission: [],
+      root: agent.id,
+      parent: null,
+      // Extensions
+      name: agent.name,
+      provider: agent.provider,
+    }));
+
+    res.json({
+      object: 'list',
+      data: models,
+    });
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'Failed to list models';
+    sendErrorResponse(res, 500, errorMessage, 'server_error');
+  }
+}
diff --git a/packages/api/src/agents/openai/types.ts b/packages/api/src/agents/openai/types.ts
new file mode 100644
index 000000000000..a33d01d085d7
--- /dev/null
+++ b/packages/api/src/agents/openai/types.ts
@@ -0,0 +1,194 @@
+/**
+ * OpenAI-compatible types for the agent chat completions API.
+ * These types follow the OpenAI API spec for /v1/chat/completions.
+ *
+ * Note: This API uses agent_id as the "model" parameter per OpenAI spec.
+ * In the future, this will be extended to support the Responses API.
+ */
+
+/**
+ * Content part types for OpenAI format
+ */
+export interface OpenAITextContentPart {
+  type: 'text';
+  text: string;
+}
+
+export interface OpenAIImageContentPart {
+  type: 'image_url';
+  image_url: {
+    url: string;
+    detail?: 'auto' | 'low' | 'high';
+  };
+}
+
+export type OpenAIContentPart = OpenAITextContentPart | OpenAIImageContentPart;
+
+/**
+ * Tool call in OpenAI format
+ */
+export interface ToolCall {
+  id: string;
+  type: 'function';
+  function: {
+    name: string;
+    arguments: string;
+  };
+}
+
+/**
+ * OpenAI chat message format
+ */
+export interface ChatMessage {
+  role: 'system' | 'user' | 'assistant' | 'tool';
+  content: string | OpenAIContentPart[] | null;
+  name?: string;
+  tool_calls?: ToolCall[];
+  tool_call_id?: string;
+}
+
+/**
+ * OpenAI chat completion request
+ */
+export interface ChatCompletionRequest {
+  /** Agent ID to invoke (maps to model in OpenAI spec) */
+  model: string;
+  /** Conversation messages */
+  messages: ChatMessage[];
+  /** Whether to stream the response */
+  stream?: boolean;
+  /** Maximum tokens to generate */
+  max_tokens?: number;
+  /** Temperature for sampling */
+  temperature?: number;
+  /** Top-p sampling */
+  top_p?: number;
+  /** Frequency penalty */
+  frequency_penalty?: number;
+  /** Presence penalty */
+  presence_penalty?: number;
+  /** Stop sequences */
+  stop?: string | string[];
+  /** User identifier */
+  user?: string;
+  /** Conversation ID (LibreChat extension) */
+  conversation_id?: string;
+  /** Parent message ID (LibreChat extension) */
+  parent_message_id?: string;
+}
+
+/**
+ * Token usage information
+ */
+export interface CompletionUsage {
+  prompt_tokens: number;
+  completion_tokens: number;
+  total_tokens: number;
+  /** Detailed breakdown of output tokens (OpenRouter/OpenAI convention) */
+  completion_tokens_details?: {
+    reasoning_tokens?: number;
+  };
+}
+
+/**
+ * Non-streaming choice
+ */
+export interface ChatCompletionChoice {
+  index: number;
+  message: {
+    role: 'assistant';
+    content: string | null;
+    /** Reasoning/thinking content (OpenRouter convention) */
+    reasoning?: string | null;
+    tool_calls?: ToolCall[];
+  };
+  finish_reason: 'stop' | 'length' | 'tool_calls' | 'content_filter' | null;
+}
+
+/**
+ * Non-streaming response
+ */
+export interface ChatCompletionResponse {
+  id: string;
+  object: 'chat.completion';
+  created: number;
+  model: string;
+  choices: ChatCompletionChoice[];
+  usage?: CompletionUsage;
+}
+
+/**
+ * Streaming choice delta
+ * Note: `reasoning` field follows OpenRouter convention for streaming reasoning/thinking content
+ */
+export interface ChatCompletionChunkChoice {
+  index: number;
+  delta: {
+    role?: 'assistant';
+    content?: string | null;
+    /** Reasoning/thinking content (OpenRouter convention) */
+    reasoning?: string | null;
+    tool_calls?: Array<{
+      index: number;
+      id?: string;
+      type?: 'function';
+      function?: {
+        name?: string;
+        arguments?: string;
+      };
+    }>;
+  };
+  finish_reason: 'stop' | 'length' | 'tool_calls' | 'content_filter' | null;
+}
+
+/**
+ * Streaming response chunk
+ */
+export interface ChatCompletionChunk {
+  id: string;
+  object: 'chat.completion.chunk';
+  created: number;
+  model: string;
+  choices: ChatCompletionChunkChoice[];
+  /** Final chunk may include usage */
+  usage?: CompletionUsage;
+}
+
+/**
+ * SSE event wrapper for streaming
+ */
+export interface SSEEvent {
+  data: ChatCompletionChunk | '[DONE]';
+}
+
+/**
+ * Context for building OpenAI responses
+ */
+export interface OpenAIResponseContext {
+  /** Request ID for the chat completion */
+  requestId: string;
+  /** Model/agent ID */
+  model: string;
+  /** Created timestamp */
+  created: number;
+}
+
+/**
+ * Aggregated content for building final response
+ */
+export interface AggregatedContent {
+  text: string;
+  toolCalls: ToolCall[];
+}
+
+/**
+ * Error response in OpenAI format
+ */
+export interface OpenAIErrorResponse {
+  error: {
+    message: string;
+    type: string;
+    param: string | null;
+    code: string | null;
+  };
+}
diff --git a/packages/api/src/agents/responses/handlers.ts b/packages/api/src/agents/responses/handlers.ts
new file mode 100644
index 000000000000..712be852bd0b
--- /dev/null
+++ b/packages/api/src/agents/responses/handlers.ts
@@ -0,0 +1,914 @@
+/**
+ * Open Responses API Handlers
+ *
+ * Semantic event emitters and response tracking for the Open Responses API.
+ * Events follow the Open Responses spec with proper lifecycle management.
+ */
+import type { Response as ServerResponse } from 'express';
+import type {
+  Response,
+  ResponseContext,
+  ResponseEvent,
+  OutputItem,
+  MessageItem,
+  FunctionCallItem,
+  FunctionCallOutputItem,
+  ReasoningItem,
+  OutputTextContent,
+  ReasoningTextContent,
+  ItemStatus,
+  ResponseStatus,
+} from './types';
+
+/* =============================================================================
+ * RESPONSE TRACKER
+ * ============================================================================= */
+
+/**
+ * Tracks the state of a response during streaming.
+ * Manages items, sequence numbers, and accumulated content.
+ */
+export interface ResponseTracker {
+  /** Current sequence number (monotonically increasing) */
+  sequenceNumber: number;
+  /** Output items being built */
+  items: OutputItem[];
+  /** Current message item (if any) */
+  currentMessage: MessageItem | null;
+  /** Current message content index */
+  currentContentIndex: number;
+  /** Current reasoning item (if any) */
+  currentReasoning: ReasoningItem | null;
+  /** Current reasoning content index */
+  currentReasoningContentIndex: number;
+  /** Map of function call items by call_id */
+  functionCalls: Map<string, FunctionCallItem>;
+  /** Map of function call outputs by call_id */
+  functionCallOutputs: Map<string, FunctionCallOutputItem>;
+  /** Accumulated text for current message */
+  accumulatedText: string;
+  /** Accumulated reasoning text */
+  accumulatedReasoningText: string;
+  /** Accumulated function call arguments by call_id */
+  accumulatedArguments: Map<string, string>;
+  /** Token usage */
+  usage: {
+    inputTokens: number;
+    outputTokens: number;
+    reasoningTokens: number;
+    cachedTokens: number;
+  };
+  /** Response status */
+  status: ResponseStatus;
+  /** Get next sequence number */
+  nextSequence: () => number;
+}
+
+/**
+ * Create a new response tracker
+ */
+export function createResponseTracker(): ResponseTracker {
+  const tracker: ResponseTracker = {
+    sequenceNumber: 0,
+    items: [],
+    currentMessage: null,
+    currentContentIndex: 0,
+    currentReasoning: null,
+    currentReasoningContentIndex: 0,
+    functionCalls: new Map(),
+    functionCallOutputs: new Map(),
+    accumulatedText: '',
+    accumulatedReasoningText: '',
+    accumulatedArguments: new Map(),
+    usage: {
+      inputTokens: 0,
+      outputTokens: 0,
+      reasoningTokens: 0,
+      cachedTokens: 0,
+    },
+    status: 'in_progress',
+    nextSequence: () => tracker.sequenceNumber++,
+  };
+  return tracker;
+}
+
+/* =============================================================================
+ * SSE EVENT WRITING
+ * ============================================================================= */
+
+/**
+ * Write a semantic SSE event to the response.
+ * The `event:` field matches the `type` in the data payload.
+ */
+export function writeEvent(res: ServerResponse, event: ResponseEvent): void {
+  res.write(`event: ${event.type}\n`);
+  res.write(`data: ${JSON.stringify(event)}\n\n`);
+}
+
+/**
+ * Write the terminal [DONE] event
+ */
+export function writeDone(res: ServerResponse): void {
+  res.write('data: [DONE]\n\n');
+}
+
+/* =============================================================================
+ * RESPONSE BUILDING
+ * ============================================================================= */
+
+/**
+ * Build a Response object from context and tracker
+ * Includes all required fields per Open Responses spec
+ */
+export function buildResponse(
+  context: ResponseContext,
+  tracker: ResponseTracker,
+  status: ResponseStatus = 'in_progress',
+): Response {
+  const isCompleted = status === 'completed';
+
+  return {
+    // Required fields
+    id: context.responseId,
+    object: 'response',
+    created_at: context.createdAt,
+    completed_at: isCompleted ? Math.floor(Date.now() / 1000) : null,
+    status,
+    incomplete_details: null,
+    model: context.model,
+    previous_response_id: context.previousResponseId ?? null,
+    instructions: context.instructions ?? null,
+    output: tracker.items,
+    error: null,
+    tools: [],
+    tool_choice: 'auto',
+    truncation: 'disabled',
+    parallel_tool_calls: true,
+    text: { format: { type: 'text' } },
+    temperature: 1,
+    top_p: 1,
+    presence_penalty: 0,
+    frequency_penalty: 0,
+    top_logprobs: 0,
+    reasoning: null,
+    user: null,
+    usage: isCompleted
+      ? {
+          input_tokens: tracker.usage.inputTokens,
+          output_tokens: tracker.usage.outputTokens,
+          total_tokens: tracker.usage.inputTokens + tracker.usage.outputTokens,
+          input_tokens_details: { cached_tokens: tracker.usage.cachedTokens },
+          output_tokens_details: { reasoning_tokens: tracker.usage.reasoningTokens },
+        }
+      : null,
+    max_output_tokens: null,
+    max_tool_calls: null,
+    store: false,
+    background: false,
+    service_tier: 'default',
+    metadata: {},
+    safety_identifier: null,
+    prompt_cache_key: null,
+  };
+}
+
+/* =============================================================================
+ * ITEM BUILDERS
+ * ============================================================================= */
+
+let itemIdCounter = 0;
+
+/**
+ * Generate a unique item ID
+ */
+export function generateItemId(prefix: string): string {
+  return `${prefix}_${Date.now().toString(36)}${(itemIdCounter++).toString(36)}`;
+}
+
+/**
+ * Create a new message item
+ */
+export function createMessageItem(status: ItemStatus = 'in_progress'): MessageItem {
+  return {
+    type: 'message',
+    id: generateItemId('msg'),
+    role: 'assistant',
+    status,
+    content: [],
+  };
+}
+
+/**
+ * Create a new function call item
+ */
+export function createFunctionCallItem(
+  callId: string,
+  name: string,
+  status: ItemStatus = 'in_progress',
+): FunctionCallItem {
+  return {
+    type: 'function_call',
+    id: generateItemId('fc'),
+    call_id: callId,
+    name,
+    arguments: '',
+    status,
+  };
+}
+
+/**
+ * Create a new function call output item
+ */
+export function createFunctionCallOutputItem(
+  callId: string,
+  output: string,
+  status: ItemStatus = 'completed',
+): FunctionCallOutputItem {
+  return {
+    type: 'function_call_output',
+    id: generateItemId('fco'),
+    call_id: callId,
+    output,
+    status,
+  };
+}
+
+/**
+ * Create a new reasoning item
+ */
+export function createReasoningItem(status: ItemStatus = 'in_progress'): ReasoningItem {
+  return {
+    type: 'reasoning',
+    id: generateItemId('reason'),
+    status,
+    content: [],
+    summary: [],
+  };
+}
+
+/**
+ * Create output text content
+ */
+export function createOutputTextContent(text: string = ''): OutputTextContent {
+  return {
+    type: 'output_text',
+    text,
+    annotations: [],
+    logprobs: [],
+  };
+}
+
+/**
+ * Create reasoning text content
+ */
+export function createReasoningTextContent(text: string = ''): ReasoningTextContent {
+  return {
+    type: 'reasoning_text',
+    text,
+  };
+}
+
+/* =============================================================================
+ * STREAMING EVENT EMITTERS
+ * ============================================================================= */
+
+export interface StreamHandlerConfig {
+  res: ServerResponse;
+  context: ResponseContext;
+  tracker: ResponseTracker;
+}
+
+/**
+ * Emit response.created event
+ * This is the first event emitted per the Open Responses spec
+ */
+export function emitResponseCreated(config: StreamHandlerConfig): void {
+  const { res, context, tracker } = config;
+  const response = buildResponse(context, tracker, 'in_progress');
+  writeEvent(res, {
+    type: 'response.created',
+    sequence_number: tracker.nextSequence(),
+    response,
+  });
+}
+
+/**
+ * Emit response.in_progress event
+ */
+export function emitResponseInProgress(config: StreamHandlerConfig): void {
+  const { res, context, tracker } = config;
+  const response = buildResponse(context, tracker, 'in_progress');
+  writeEvent(res, {
+    type: 'response.in_progress',
+    sequence_number: tracker.nextSequence(),
+    response,
+  });
+}
+
+/**
+ * Emit response.completed event
+ */
+export function emitResponseCompleted(config: StreamHandlerConfig): void {
+  const { res, context, tracker } = config;
+  tracker.status = 'completed';
+  const response = buildResponse(context, tracker, 'completed');
+  writeEvent(res, {
+    type: 'response.completed',
+    sequence_number: tracker.nextSequence(),
+    response,
+  });
+}
+
+/**
+ * Emit response.failed event
+ */
+export function emitResponseFailed(
+  config: StreamHandlerConfig,
+  error: { type: string; message: string; code?: string },
+): void {
+  const { res, context, tracker } = config;
+  tracker.status = 'failed';
+  const response = buildResponse(context, tracker, 'failed');
+  response.error = {
+    type: error.type as
+      | 'server_error'
+      | 'invalid_request'
+      | 'not_found'
+      | 'model_error'
+      | 'too_many_requests',
+    message: error.message,
+    code: error.code,
+  };
+  writeEvent(res, {
+    type: 'response.failed',
+    sequence_number: tracker.nextSequence(),
+    response,
+  });
+}
+
+/**
+ * Emit response.output_item.added event for a message
+ */
+export function emitMessageItemAdded(config: StreamHandlerConfig): MessageItem {
+  const { res, tracker } = config;
+  const item = createMessageItem('in_progress');
+  tracker.currentMessage = item;
+  tracker.currentContentIndex = 0;
+  tracker.accumulatedText = '';
+  tracker.items.push(item);
+
+  writeEvent(res, {
+    type: 'response.output_item.added',
+    sequence_number: tracker.nextSequence(),
+    output_index: tracker.items.length - 1,
+    item,
+  });
+
+  return item;
+}
+
+/**
+ * Emit response.output_item.done event for a message
+ */
+export function emitMessageItemDone(config: StreamHandlerConfig): void {
+  const { res, tracker } = config;
+  if (!tracker.currentMessage) {
+    return;
+  }
+
+  tracker.currentMessage.status = 'completed';
+  const outputIndex = tracker.items.indexOf(tracker.currentMessage);
+
+  writeEvent(res, {
+    type: 'response.output_item.done',
+    sequence_number: tracker.nextSequence(),
+    output_index: outputIndex,
+    item: tracker.currentMessage,
+  });
+
+  tracker.currentMessage = null;
+}
+
+/**
+ * Emit response.content_part.added for text content
+ */
+export function emitTextContentPartAdded(config: StreamHandlerConfig): void {
+  const { res, tracker } = config;
+  if (!tracker.currentMessage) {
+    return;
+  }
+
+  const part = createOutputTextContent('');
+  tracker.currentMessage.content.push(part);
+  const outputIndex = tracker.items.indexOf(tracker.currentMessage);
+
+  writeEvent(res, {
+    type: 'response.content_part.added',
+    sequence_number: tracker.nextSequence(),
+    item_id: tracker.currentMessage.id,
+    output_index: outputIndex,
+    content_index: tracker.currentContentIndex,
+    part,
+  });
+}
+
+/**
+ * Emit response.output_text.delta event
+ */
+export function emitOutputTextDelta(config: StreamHandlerConfig, delta: string): void {
+  const { res, tracker } = config;
+  if (!tracker.currentMessage) {
+    return;
+  }
+
+  tracker.accumulatedText += delta;
+  const outputIndex = tracker.items.indexOf(tracker.currentMessage);
+
+  writeEvent(res, {
+    type: 'response.output_text.delta',
+    sequence_number: tracker.nextSequence(),
+    item_id: tracker.currentMessage.id,
+    output_index: outputIndex,
+    content_index: tracker.currentContentIndex,
+    delta,
+    logprobs: [],
+  });
+}
+
+/**
+ * Emit response.output_text.done event
+ */
+export function emitOutputTextDone(config: StreamHandlerConfig): void {
+  const { res, tracker } = config;
+  if (!tracker.currentMessage) {
+    return;
+  }
+
+  const outputIndex = tracker.items.indexOf(tracker.currentMessage);
+  const contentIndex = tracker.currentContentIndex;
+
+  // Update the content part with final text
+  if (tracker.currentMessage.content[contentIndex]) {
+    (tracker.currentMessage.content[contentIndex] as OutputTextContent).text =
+      tracker.accumulatedText;
+  }
+
+  writeEvent(res, {
+    type: 'response.output_text.done',
+    sequence_number: tracker.nextSequence(),
+    item_id: tracker.currentMessage.id,
+    output_index: outputIndex,
+    content_index: contentIndex,
+    text: tracker.accumulatedText,
+    logprobs: [],
+  });
+}
+
+/**
+ * Emit response.content_part.done for text content
+ */
+export function emitTextContentPartDone(config: StreamHandlerConfig): void {
+  const { res, tracker } = config;
+  if (!tracker.currentMessage) {
+    return;
+  }
+
+  const outputIndex = tracker.items.indexOf(tracker.currentMessage);
+  const contentIndex = tracker.currentContentIndex;
+  const part = tracker.currentMessage.content[contentIndex];
+
+  if (part) {
+    writeEvent(res, {
+      type: 'response.content_part.done',
+      sequence_number: tracker.nextSequence(),
+      item_id: tracker.currentMessage.id,
+      output_index: outputIndex,
+      content_index: contentIndex,
+      part,
+    });
+  }
+
+  tracker.currentContentIndex++;
+}
+
+/* =============================================================================
+ * FUNCTION CALL EVENT EMITTERS
+ * ============================================================================= */
+
+/**
+ * Emit response.output_item.added for a function call
+ */
+export function emitFunctionCallItemAdded(
+  config: StreamHandlerConfig,
+  callId: string,
+  name: string,
+): FunctionCallItem {
+  const { res, tracker } = config;
+  const item = createFunctionCallItem(callId, name, 'in_progress');
+  tracker.functionCalls.set(callId, item);
+  tracker.accumulatedArguments.set(callId, '');
+  tracker.items.push(item);
+
+  writeEvent(res, {
+    type: 'response.output_item.added',
+    sequence_number: tracker.nextSequence(),
+    output_index: tracker.items.length - 1,
+    item,
+  });
+
+  return item;
+}
+
+/**
+ * Emit response.function_call_arguments.delta event
+ */
+export function emitFunctionCallArgumentsDelta(
+  config: StreamHandlerConfig,
+  callId: string,
+  delta: string,
+): void {
+  const { res, tracker } = config;
+  const item = tracker.functionCalls.get(callId);
+  if (!item) {
+    return;
+  }
+
+  const accumulated = (tracker.accumulatedArguments.get(callId) ?? '') + delta;
+  tracker.accumulatedArguments.set(callId, accumulated);
+  item.arguments = accumulated;
+
+  const outputIndex = tracker.items.indexOf(item);
+
+  writeEvent(res, {
+    type: 'response.function_call_arguments.delta',
+    sequence_number: tracker.nextSequence(),
+    item_id: item.id,
+    output_index: outputIndex,
+    call_id: callId,
+    delta,
+  });
+}
+
+/**
+ * Emit response.function_call_arguments.done event
+ */
+export function emitFunctionCallArgumentsDone(config: StreamHandlerConfig, callId: string): void {
+  const { res, tracker } = config;
+  const item = tracker.functionCalls.get(callId);
+  if (!item) {
+    return;
+  }
+
+  const outputIndex = tracker.items.indexOf(item);
+  const args = tracker.accumulatedArguments.get(callId) ?? '';
+
+  writeEvent(res, {
+    type: 'response.function_call_arguments.done',
+    sequence_number: tracker.nextSequence(),
+    item_id: item.id,
+    output_index: outputIndex,
+    call_id: callId,
+    arguments: args,
+  });
+}
+
+/**
+ * Emit response.output_item.done for a function call
+ */
+export function emitFunctionCallItemDone(config: StreamHandlerConfig, callId: string): void {
+  const { res, tracker } = config;
+  const item = tracker.functionCalls.get(callId);
+  if (!item) {
+    return;
+  }
+
+  item.status = 'completed';
+  const outputIndex = tracker.items.indexOf(item);
+
+  writeEvent(res, {
+    type: 'response.output_item.done',
+    sequence_number: tracker.nextSequence(),
+    output_index: outputIndex,
+    item,
+  });
+}
+
+/**
+ * Emit function call output item (internal tool result)
+ */
+export function emitFunctionCallOutputItem(
+  config: StreamHandlerConfig,
+  callId: string,
+  output: string,
+): void {
+  const { res, tracker } = config;
+  const item = createFunctionCallOutputItem(callId, output, 'completed');
+  tracker.functionCallOutputs.set(callId, item);
+  tracker.items.push(item);
+
+  // Emit added
+  writeEvent(res, {
+    type: 'response.output_item.added',
+    sequence_number: tracker.nextSequence(),
+    output_index: tracker.items.length - 1,
+    item,
+  });
+
+  // Immediately emit done since it's already complete
+  writeEvent(res, {
+    type: 'response.output_item.done',
+    sequence_number: tracker.nextSequence(),
+    output_index: tracker.items.length - 1,
+    item,
+  });
+}
+
+/* =============================================================================
+ * REASONING EVENT EMITTERS
+ * ============================================================================= */
+
+/**
+ * Emit response.output_item.added for reasoning
+ */
+export function emitReasoningItemAdded(config: StreamHandlerConfig): ReasoningItem {
+  const { res, tracker } = config;
+  const item = createReasoningItem('in_progress');
+  tracker.currentReasoning = item;
+  tracker.currentReasoningContentIndex = 0;
+  tracker.accumulatedReasoningText = '';
+  tracker.items.push(item);
+
+  writeEvent(res, {
+    type: 'response.output_item.added',
+    sequence_number: tracker.nextSequence(),
+    output_index: tracker.items.length - 1,
+    item,
+  });
+
+  return item;
+}
+
+/**
+ * Emit response.content_part.added for reasoning
+ */
+export function emitReasoningContentPartAdded(config: StreamHandlerConfig): void {
+  const { res, tracker } = config;
+  if (!tracker.currentReasoning) {
+    return;
+  }
+
+  const part = createReasoningTextContent('');
+  if (!tracker.currentReasoning.content) {
+    tracker.currentReasoning.content = [];
+  }
+  tracker.currentReasoning.content.push(part);
+  const outputIndex = tracker.items.indexOf(tracker.currentReasoning);
+
+  writeEvent(res, {
+    type: 'response.content_part.added',
+    sequence_number: tracker.nextSequence(),
+    item_id: tracker.currentReasoning.id,
+    output_index: outputIndex,
+    content_index: tracker.currentReasoningContentIndex,
+    part,
+  });
+}
+
+/**
+ * Emit response.reasoning.delta event
+ */
+export function emitReasoningDelta(config: StreamHandlerConfig, delta: string): void {
+  const { res, tracker } = config;
+  if (!tracker.currentReasoning) {
+    return;
+  }
+
+  tracker.accumulatedReasoningText += delta;
+  const outputIndex = tracker.items.indexOf(tracker.currentReasoning);
+
+  writeEvent(res, {
+    type: 'response.reasoning.delta',
+    sequence_number: tracker.nextSequence(),
+    item_id: tracker.currentReasoning.id,
+    output_index: outputIndex,
+    content_index: tracker.currentReasoningContentIndex,
+    delta,
+  });
+}
+
+/**
+ * Emit response.reasoning.done event
+ */
+export function emitReasoningDone(config: StreamHandlerConfig): void {
+  const { res, tracker } = config;
+  if (!tracker.currentReasoning || !tracker.currentReasoning.content) {
+    return;
+  }
+
+  const outputIndex = tracker.items.indexOf(tracker.currentReasoning);
+  const contentIndex = tracker.currentReasoningContentIndex;
+
+  // Update the content part with final text
+  if (tracker.currentReasoning.content[contentIndex]) {
+    (tracker.currentReasoning.content[contentIndex] as ReasoningTextContent).text =
+      tracker.accumulatedReasoningText;
+  }
+
+  writeEvent(res, {
+    type: 'response.reasoning.done',
+    sequence_number: tracker.nextSequence(),
+    item_id: tracker.currentReasoning.id,
+    output_index: outputIndex,
+    content_index: contentIndex,
+    text: tracker.accumulatedReasoningText,
+  });
+}
+
+/**
+ * Emit response.content_part.done for reasoning
+ */
+export function emitReasoningContentPartDone(config: StreamHandlerConfig): void {
+  const { res, tracker } = config;
+  if (!tracker.currentReasoning || !tracker.currentReasoning.content) {
+    return;
+  }
+
+  const outputIndex = tracker.items.indexOf(tracker.currentReasoning);
+  const contentIndex = tracker.currentReasoningContentIndex;
+  const part = tracker.currentReasoning.content[contentIndex];
+
+  if (part) {
+    writeEvent(res, {
+      type: 'response.content_part.done',
+      sequence_number: tracker.nextSequence(),
+      item_id: tracker.currentReasoning.id,
+      output_index: outputIndex,
+      content_index: contentIndex,
+      part,
+    });
+  }
+
+  tracker.currentReasoningContentIndex++;
+}
+
+/**
+ * Emit response.output_item.done for reasoning
+ */
+export function emitReasoningItemDone(config: StreamHandlerConfig): void {
+  const { res, tracker } = config;
+  if (!tracker.currentReasoning) {
+    return;
+  }
+
+  tracker.currentReasoning.status = 'completed';
+  const outputIndex = tracker.items.indexOf(tracker.currentReasoning);
+
+  writeEvent(res, {
+    type: 'response.output_item.done',
+    sequence_number: tracker.nextSequence(),
+    output_index: outputIndex,
+    item: tracker.currentReasoning,
+  });
+
+  tracker.currentReasoning = null;
+}
+
+/* =============================================================================
+ * ERROR HANDLING
+ * ============================================================================= */
+
+/**
+ * Emit error event
+ */
+export function emitError(
+  config: StreamHandlerConfig,
+  error: { type: string; message: string; code?: string },
+): void {
+  const { res, tracker } = config;
+
+  writeEvent(res, {
+    type: 'error',
+    sequence_number: tracker.nextSequence(),
+    error: {
+      type: error.type as 'server_error',
+      message: error.message,
+      code: error.code,
+    },
+  });
+}
+
+/* =============================================================================
+ * LIBRECHAT EXTENSION EVENTS
+ * Custom events prefixed with 'librechat:' per Open Responses spec
+ * @see https://openresponses.org/specification#extending-streaming-events
+ * ============================================================================= */
+
+/**
+ * Attachment data for librechat:attachment events
+ */
+export interface AttachmentData {
+  /** File ID in LibreChat storage */
+  file_id?: string;
+  /** Original filename */
+  filename?: string;
+  /** MIME type */
+  type?: string;
+  /** URL to access the file */
+  url?: string;
+  /** Base64-encoded image data (for inline images) */
+  image_url?: string;
+  /** Width for images */
+  width?: number;
+  /** Height for images */
+  height?: number;
+  /** Associated tool call ID */
+  tool_call_id?: string;
+  /** Additional metadata */
+  [key: string]: unknown;
+}
+
+/**
+ * Emit librechat:attachment event for file/image attachments
+ * This is a LibreChat extension to the Open Responses streaming protocol.
+ * External clients can safely ignore these events.
+ */
+export function emitAttachment(
+  config: StreamHandlerConfig,
+  attachment: AttachmentData,
+  options?: {
+    messageId?: string;
+    conversationId?: string;
+  },
+): void {
+  const { res, tracker } = config;
+
+  writeEvent(res, {
+    type: 'librechat:attachment',
+    sequence_number: tracker.nextSequence(),
+    attachment,
+    message_id: options?.messageId,
+    conversation_id: options?.conversationId,
+  });
+}
+
+/**
+ * Write attachment event directly to response (for use outside streaming context)
+ * Useful when attachment processing happens asynchronously
+ */
+export function writeAttachmentEvent(
+  res: ServerResponse,
+  sequenceNumber: number,
+  attachment: AttachmentData,
+  options?: {
+    messageId?: string;
+    conversationId?: string;
+  },
+): void {
+  writeEvent(res, {
+    type: 'librechat:attachment',
+    sequence_number: sequenceNumber,
+    attachment,
+    message_id: options?.messageId,
+    conversation_id: options?.conversationId,
+  });
+}
+
+/* =============================================================================
+ * NON-STREAMING RESPONSE BUILDER
+ * ============================================================================= */
+
+/**
+ * Build a complete non-streaming response
+ */
+export function buildResponsesNonStreamingResponse(
+  context: ResponseContext,
+  tracker: ResponseTracker,
+): Response {
+  return buildResponse(context, tracker, 'completed');
+}
+
+/**
+ * Update tracker usage from collected data
+ */
+export function updateTrackerUsage(
+  tracker: ResponseTracker,
+  usage: {
+    promptTokens?: number;
+    completionTokens?: number;
+    reasoningTokens?: number;
+    cachedTokens?: number;
+  },
+): void {
+  if (usage.promptTokens != null) {
+    tracker.usage.inputTokens = usage.promptTokens;
+  }
+  if (usage.completionTokens != null) {
+    tracker.usage.outputTokens = usage.completionTokens;
+  }
+  if (usage.reasoningTokens != null) {
+    tracker.usage.reasoningTokens = usage.reasoningTokens;
+  }
+  if (usage.cachedTokens != null) {
+    tracker.usage.cachedTokens = usage.cachedTokens;
+  }
+}
diff --git a/packages/api/src/agents/responses/index.ts b/packages/api/src/agents/responses/index.ts
new file mode 100644
index 000000000000..ecfb1c20474c
--- /dev/null
+++ b/packages/api/src/agents/responses/index.ts
@@ -0,0 +1,183 @@
+/**
+ * Open Responses API Module
+ *
+ * Exports for the Open Responses API implementation.
+ * @see https://openresponses.org/specification
+ */
+
+// Types
+export type {
+  // Enums
+  ItemStatus,
+  ResponseStatus,
+  MessageRole,
+  ToolChoiceValue,
+  TruncationValue,
+  ServiceTier,
+  ReasoningEffort,
+  ReasoningSummary,
+  // Input content
+  InputTextContent,
+  InputImageContent,
+  InputFileContent,
+  InputContent,
+  // Output content
+  LogProb,
+  TopLogProb,
+  OutputTextContent,
+  RefusalContent,
+  ModelContent,
+  // Annotations
+  UrlCitationAnnotation,
+  FileCitationAnnotation,
+  Annotation,
+  // Reasoning content
+  ReasoningTextContent,
+  SummaryTextContent,
+  ReasoningContent,
+  // Input items
+  SystemMessageItemParam,
+  DeveloperMessageItemParam,
+  UserMessageItemParam,
+  AssistantMessageItemParam,
+  FunctionCallItemParam,
+  FunctionCallOutputItemParam,
+  ReasoningItemParam,
+  ItemReferenceParam,
+  InputItem,
+  // Output items
+  MessageItem,
+  FunctionCallItem,
+  FunctionCallOutputItem,
+  ReasoningItem,
+  OutputItem,
+  // Tools
+  FunctionTool,
+  HostedTool,
+  Tool,
+  FunctionToolChoice,
+  ToolChoice,
+  // Request
+  ReasoningConfig,
+  TextConfig,
+  StreamOptions,
+  Metadata,
+  ResponseRequest,
+  // Response field types
+  TextField,
+  // Response
+  InputTokensDetails,
+  OutputTokensDetails,
+  Usage,
+  IncompleteDetails,
+  ResponseError,
+  Response,
+  // Streaming events
+  BaseEvent,
+  ResponseCreatedEvent,
+  ResponseInProgressEvent,
+  ResponseCompletedEvent,
+  ResponseFailedEvent,
+  ResponseIncompleteEvent,
+  OutputItemAddedEvent,
+  OutputItemDoneEvent,
+  ContentPartAddedEvent,
+  ContentPartDoneEvent,
+  OutputTextDeltaEvent,
+  OutputTextDoneEvent,
+  RefusalDeltaEvent,
+  RefusalDoneEvent,
+  FunctionCallArgumentsDeltaEvent,
+  FunctionCallArgumentsDoneEvent,
+  ReasoningDeltaEvent,
+  ReasoningDoneEvent,
+  ErrorEvent,
+  ResponseEvent,
+  // LibreChat extensions
+  LibreChatAttachmentContent,
+  LibreChatAttachmentEvent,
+  // Internal
+  ResponseContext,
+  RequestValidationResult,
+} from './types';
+
+// Handlers
+export {
+  // Tracker
+  createResponseTracker,
+  type ResponseTracker,
+  // SSE
+  writeEvent,
+  writeDone,
+  // Response building
+  buildResponse,
+  // Item builders
+  generateItemId,
+  createMessageItem,
+  createFunctionCallItem,
+  createFunctionCallOutputItem,
+  createReasoningItem,
+  createOutputTextContent,
+  createReasoningTextContent,
+  // Stream config
+  type StreamHandlerConfig,
+  // Response events
+  emitResponseCreated,
+  emitResponseInProgress,
+  emitResponseCompleted,
+  emitResponseFailed,
+  // Message events
+  emitMessageItemAdded,
+  emitMessageItemDone,
+  emitTextContentPartAdded,
+  emitOutputTextDelta,
+  emitOutputTextDone,
+  emitTextContentPartDone,
+  // Function call events
+  emitFunctionCallItemAdded,
+  emitFunctionCallArgumentsDelta,
+  emitFunctionCallArgumentsDone,
+  emitFunctionCallItemDone,
+  emitFunctionCallOutputItem,
+  // Reasoning events
+  emitReasoningItemAdded,
+  emitReasoningContentPartAdded,
+  emitReasoningDelta,
+  emitReasoningDone,
+  emitReasoningContentPartDone,
+  emitReasoningItemDone,
+  // Error events
+  emitError,
+  // LibreChat extension events
+  emitAttachment,
+  writeAttachmentEvent,
+  type AttachmentData,
+  // Non-streaming
+  buildResponsesNonStreamingResponse,
+  updateTrackerUsage,
+} from './handlers';
+
+// Service
+export {
+  // Validation
+  validateResponseRequest,
+  isValidationFailure,
+  // Input conversion
+  convertInputToMessages,
+  mergeMessagesWithInput,
+  type InternalMessage,
+  // Error response
+  sendResponsesErrorResponse,
+  // Context
+  generateResponseId,
+  createResponseContext,
+  // Streaming setup
+  setupStreamingResponse,
+  // Event handlers
+  createResponsesEventHandlers,
+  // Non-streaming
+  createResponseAggregator,
+  buildAggregatedResponse,
+  createAggregatorEventHandlers,
+  type ResponseAggregator,
+} from './service';
diff --git a/packages/api/src/agents/responses/service.ts b/packages/api/src/agents/responses/service.ts
new file mode 100644
index 000000000000..842db866794d
--- /dev/null
+++ b/packages/api/src/agents/responses/service.ts
@@ -0,0 +1,869 @@
+/**
+ * Open Responses API Service
+ *
+ * Core service for processing Open Responses API requests.
+ * Handles input conversion, message formatting, and request validation.
+ */
+import type { Response as ServerResponse } from 'express';
+import type {
+  ResponseRequest,
+  RequestValidationResult,
+  InputItem,
+  InputContent,
+  ResponseContext,
+  Response,
+} from './types';
+import {
+  writeDone,
+  emitResponseCompleted,
+  emitMessageItemAdded,
+  emitMessageItemDone,
+  emitTextContentPartAdded,
+  emitOutputTextDelta,
+  emitOutputTextDone,
+  emitTextContentPartDone,
+  emitFunctionCallItemAdded,
+  emitFunctionCallArgumentsDelta,
+  emitFunctionCallArgumentsDone,
+  emitFunctionCallItemDone,
+  emitFunctionCallOutputItem,
+  emitReasoningItemAdded,
+  emitReasoningContentPartAdded,
+  emitReasoningDelta,
+  emitReasoningDone,
+  emitReasoningContentPartDone,
+  emitReasoningItemDone,
+  updateTrackerUsage,
+  type StreamHandlerConfig,
+} from './handlers';
+
+/* =============================================================================
+ * REQUEST VALIDATION
+ * ============================================================================= */
+
+/**
+ * Validate a request body
+ */
+export function validateResponseRequest(body: unknown): RequestValidationResult {
+  if (!body || typeof body !== 'object') {
+    return { valid: false, error: 'Request body is required' };
+  }
+
+  const request = body as Record<string, unknown>;
+
+  // Required: model
+  if (!request.model || typeof request.model !== 'string') {
+    return { valid: false, error: 'model is required and must be a string' };
+  }
+
+  // Required: input (string or array)
+  if (request.input === undefined || request.input === null) {
+    return { valid: false, error: 'input is required' };
+  }
+
+  if (typeof request.input !== 'string' && !Array.isArray(request.input)) {
+    return { valid: false, error: 'input must be a string or array of items' };
+  }
+
+  // Optional validations
+  if (request.stream !== undefined && typeof request.stream !== 'boolean') {
+    return { valid: false, error: 'stream must be a boolean' };
+  }
+
+  if (request.temperature !== undefined) {
+    const temp = request.temperature as number;
+    if (typeof temp !== 'number' || temp < 0 || temp > 2) {
+      return { valid: false, error: 'temperature must be a number between 0 and 2' };
+    }
+  }
+
+  if (request.max_output_tokens !== undefined) {
+    if (typeof request.max_output_tokens !== 'number' || request.max_output_tokens < 1) {
+      return { valid: false, error: 'max_output_tokens must be a positive number' };
+    }
+  }
+
+  return { valid: true, request: request as unknown as ResponseRequest };
+}
+
+/**
+ * Check if validation failed
+ */
+export function isValidationFailure(
+  result: RequestValidationResult,
+): result is { valid: false; error: string } {
+  return !result.valid;
+}
+
+/* =============================================================================
+ * INPUT CONVERSION
+ * ============================================================================= */
+
+/** Internal message format (LibreChat-compatible) */
+export interface InternalMessage {
+  role: 'system' | 'user' | 'assistant' | 'tool';
+  content: string | Array<{ type: string; text?: string; image_url?: unknown }>;
+  name?: string;
+  tool_call_id?: string;
+  tool_calls?: Array<{
+    id: string;
+    type: 'function';
+    function: { name: string; arguments: string };
+  }>;
+}
+
+/**
+ * Convert Open Responses input to internal message format.
+ * Handles both string input and array of items.
+ */
+export function convertInputToMessages(input: string | InputItem[]): InternalMessage[] {
+  // Simple string input becomes a user message
+  if (typeof input === 'string') {
+    return [{ role: 'user', content: input }];
+  }
+
+  const messages: InternalMessage[] = [];
+
+  for (const item of input) {
+    if (item.type === 'item_reference') {
+      // Skip item references - they're handled by previous_response_id
+      continue;
+    }
+
+    if (item.type === 'message') {
+      const messageItem = item as {
+        type: 'message';
+        role: string;
+        content: string | InputContent[];
+      };
+
+      let content: InternalMessage['content'];
+
+      if (typeof messageItem.content === 'string') {
+        content = messageItem.content;
+      } else if (Array.isArray(messageItem.content)) {
+        content = messageItem.content.map((part) => {
+          if (part.type === 'input_text') {
+            return { type: 'text', text: part.text };
+          }
+          if (part.type === 'input_image') {
+            return {
+              type: 'image_url',
+              image_url: {
+                url: (part as { image_url?: string }).image_url,
+                detail: (part as { detail?: string }).detail,
+              },
+            };
+          }
+          return { type: part.type };
+        });
+      } else {
+        content = '';
+      }
+
+      // Map developer role to system (LibreChat convention)
+      let role: InternalMessage['role'];
+      if (messageItem.role === 'developer') {
+        role = 'system';
+      } else if (messageItem.role === 'user') {
+        role = 'user';
+      } else if (messageItem.role === 'assistant') {
+        role = 'assistant';
+      } else if (messageItem.role === 'system') {
+        role = 'system';
+      } else {
+        role = 'user';
+      }
+
+      messages.push({ role, content });
+    }
+
+    if (item.type === 'function_call') {
+      // Function call items represent prior tool calls from assistant
+      const fcItem = item as {
+        type: 'function_call';
+        call_id: string;
+        name: string;
+        arguments: string;
+      };
+
+      // Add as assistant message with tool_calls
+      messages.push({
+        role: 'assistant',
+        content: '',
+        tool_calls: [
+          {
+            id: fcItem.call_id,
+            type: 'function',
+            function: { name: fcItem.name, arguments: fcItem.arguments },
+          },
+        ],
+      });
+    }
+
+    if (item.type === 'function_call_output') {
+      // Function call output items represent tool results
+      const fcoItem = item as { type: 'function_call_output'; call_id: string; output: string };
+
+      messages.push({
+        role: 'tool',
+        content: fcoItem.output,
+        tool_call_id: fcoItem.call_id,
+      });
+    }
+
+    // Reasoning items are typically not passed back as input
+    // They're model-generated and may be encrypted
+  }
+
+  return messages;
+}
+
+/**
+ * Merge previous conversation messages with new input
+ */
+export function mergeMessagesWithInput(
+  previousMessages: InternalMessage[],
+  newInput: InternalMessage[],
+): InternalMessage[] {
+  return [...previousMessages, ...newInput];
+}
+
+/* =============================================================================
+ * ERROR RESPONSE
+ * ============================================================================= */
+
+/**
+ * Send an error response in Open Responses format
+ */
+export function sendResponsesErrorResponse(
+  res: ServerResponse,
+  statusCode: number,
+  message: string,
+  type: string = 'invalid_request',
+  code?: string,
+): void {
+  res.status(statusCode).json({
+    error: {
+      type,
+      message,
+      code: code ?? null,
+      param: null,
+    },
+  });
+}
+
+/* =============================================================================
+ * RESPONSE CONTEXT
+ * ============================================================================= */
+
+/**
+ * Generate a unique response ID
+ */
+export function generateResponseId(): string {
+  return `resp_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`;
+}
+
+/**
+ * Create a response context from request
+ */
+export function createResponseContext(
+  request: ResponseRequest,
+  responseId?: string,
+): ResponseContext {
+  return {
+    responseId: responseId ?? generateResponseId(),
+    model: request.model,
+    createdAt: Math.floor(Date.now() / 1000),
+    previousResponseId: request.previous_response_id,
+    instructions: request.instructions,
+  };
+}
+
+/* =============================================================================
+ * STREAMING SETUP
+ * ============================================================================= */
+
+/**
+ * Set up streaming response headers
+ */
+export function setupStreamingResponse(res: ServerResponse): void {
+  res.setHeader('Content-Type', 'text/event-stream');
+  res.setHeader('Cache-Control', 'no-cache');
+  res.setHeader('Connection', 'keep-alive');
+  res.setHeader('X-Accel-Buffering', 'no');
+  res.flushHeaders();
+}
+
+/* =============================================================================
+ * STREAM HANDLER FACTORY
+ * ============================================================================= */
+
+/**
+ * State for tracking streaming progress
+ */
+interface StreamState {
+  messageStarted: boolean;
+  messageContentStarted: boolean;
+  reasoningStarted: boolean;
+  reasoningContentStarted: boolean;
+  activeToolCalls: Set<string>;
+  completedToolCalls: Set<string>;
+}
+
+/**
+ * Create LibreChat event handlers that emit Open Responses events
+ */
+export function createResponsesEventHandlers(config: StreamHandlerConfig): {
+  handlers: Record<string, { handle: (event: string, data: unknown) => void }>;
+  state: StreamState;
+  finalizeStream: () => void;
+} {
+  const state: StreamState = {
+    messageStarted: false,
+    messageContentStarted: false,
+    reasoningStarted: false,
+    reasoningContentStarted: false,
+    activeToolCalls: new Set(),
+    completedToolCalls: new Set(),
+  };
+
+  /**
+   * Ensure message item is started
+   */
+  const ensureMessageStarted = (): void => {
+    if (!state.messageStarted) {
+      emitMessageItemAdded(config);
+      state.messageStarted = true;
+    }
+  };
+
+  /**
+   * Ensure message content part is started
+   */
+  const ensureMessageContentStarted = (): void => {
+    ensureMessageStarted();
+    if (!state.messageContentStarted) {
+      emitTextContentPartAdded(config);
+      state.messageContentStarted = true;
+    }
+  };
+
+  /**
+   * Ensure reasoning item is started
+   */
+  const ensureReasoningStarted = (): void => {
+    if (!state.reasoningStarted) {
+      emitReasoningItemAdded(config);
+      state.reasoningStarted = true;
+    }
+  };
+
+  /**
+   * Ensure reasoning content part is started
+   */
+  const ensureReasoningContentStarted = (): void => {
+    ensureReasoningStarted();
+    if (!state.reasoningContentStarted) {
+      emitReasoningContentPartAdded(config);
+      state.reasoningContentStarted = true;
+    }
+  };
+
+  /**
+   * Close any open content streams
+   */
+  const closeOpenStreams = (): void => {
+    // Close message content if open
+    if (state.messageContentStarted) {
+      emitOutputTextDone(config);
+      emitTextContentPartDone(config);
+      state.messageContentStarted = false;
+    }
+
+    // Close message item if open
+    if (state.messageStarted) {
+      emitMessageItemDone(config);
+      state.messageStarted = false;
+    }
+
+    // Close reasoning content if open
+    if (state.reasoningContentStarted) {
+      emitReasoningDone(config);
+      emitReasoningContentPartDone(config);
+      state.reasoningContentStarted = false;
+    }
+
+    // Close reasoning item if open
+    if (state.reasoningStarted) {
+      emitReasoningItemDone(config);
+      state.reasoningStarted = false;
+    }
+  };
+
+  const handlers = {
+    /**
+     * Handle text message deltas
+     */
+    on_message_delta: {
+      handle: (_event: string, data: unknown): void => {
+        const deltaData = data as { delta?: { content?: Array<{ type: string; text?: string }> } };
+        const content = deltaData?.delta?.content;
+
+        if (Array.isArray(content)) {
+          for (const part of content) {
+            if (part.type === 'text' && part.text) {
+              ensureMessageContentStarted();
+              emitOutputTextDelta(config, part.text);
+            }
+          }
+        }
+      },
+    },
+
+    /**
+     * Handle reasoning deltas
+     */
+    on_reasoning_delta: {
+      handle: (_event: string, data: unknown): void => {
+        const deltaData = data as {
+          delta?: { content?: Array<{ type: string; text?: string; think?: string }> };
+        };
+        const content = deltaData?.delta?.content;
+
+        if (Array.isArray(content)) {
+          for (const part of content) {
+            const text = part.think || part.text;
+            if (text) {
+              ensureReasoningContentStarted();
+              emitReasoningDelta(config, text);
+            }
+          }
+        }
+      },
+    },
+
+    /**
+     * Handle run step (tool call initiation)
+     */
+    on_run_step: {
+      handle: (_event: string, data: unknown): void => {
+        const stepData = data as {
+          stepDetails?: { type: string; tool_calls?: Array<{ id?: string; name?: string }> };
+        };
+        const stepDetails = stepData?.stepDetails;
+
+        if (stepDetails?.type === 'tool_calls' && stepDetails.tool_calls) {
+          // Close any open message/reasoning before tool calls
+          closeOpenStreams();
+
+          for (const tc of stepDetails.tool_calls) {
+            const callId = tc.id ?? '';
+            const name = tc.name ?? '';
+
+            if (callId && !state.activeToolCalls.has(callId)) {
+              state.activeToolCalls.add(callId);
+              emitFunctionCallItemAdded(config, callId, name);
+            }
+          }
+        }
+      },
+    },
+
+    /**
+     * Handle run step delta (tool call argument streaming)
+     */
+    on_run_step_delta: {
+      handle: (_event: string, data: unknown): void => {
+        const deltaData = data as {
+          delta?: { type: string; tool_calls?: Array<{ index?: number; args?: string }> };
+        };
+        const delta = deltaData?.delta;
+
+        if (delta?.type === 'tool_calls' && delta.tool_calls) {
+          for (const tc of delta.tool_calls) {
+            const args = tc.args ?? '';
+            if (!args) {
+              continue;
+            }
+
+            // Find the call_id for this tool call by index
+            const toolCallsArray = Array.from(state.activeToolCalls);
+            const callId = toolCallsArray[tc.index ?? 0];
+
+            if (callId) {
+              emitFunctionCallArgumentsDelta(config, callId, args);
+            }
+          }
+        }
+      },
+    },
+
+    /**
+     * Handle tool end (tool execution complete)
+     */
+    on_tool_end: {
+      handle: (_event: string, data: unknown): void => {
+        const toolData = data as { tool_call_id?: string; output?: string };
+        const callId = toolData?.tool_call_id;
+        const output = toolData?.output ?? '';
+
+        if (callId && state.activeToolCalls.has(callId) && !state.completedToolCalls.has(callId)) {
+          state.completedToolCalls.add(callId);
+
+          // Complete the function call item
+          emitFunctionCallArgumentsDone(config, callId);
+          emitFunctionCallItemDone(config, callId);
+
+          // Emit the function call output (internal tool result)
+          emitFunctionCallOutputItem(config, callId, output);
+        }
+      },
+    },
+
+    /**
+     * Handle chat model end (usage collection)
+     */
+    on_chat_model_end: {
+      handle: (_event: string, data: unknown): void => {
+        const endData = data as {
+          output?: {
+            usage_metadata?: {
+              input_tokens?: number;
+              output_tokens?: number;
+              // OpenAI format
+              input_token_details?: {
+                cache_creation?: number;
+                cache_read?: number;
+              };
+              // Anthropic format
+              cache_creation_input_tokens?: number;
+              cache_read_input_tokens?: number;
+            };
+          };
+        };
+
+        const usage = endData?.output?.usage_metadata;
+        if (usage) {
+          // Extract cached tokens from either OpenAI or Anthropic format
+          const cachedTokens =
+            (usage.input_token_details?.cache_read ?? 0) + (usage.cache_read_input_tokens ?? 0);
+
+          updateTrackerUsage(config.tracker, {
+            promptTokens: usage.input_tokens,
+            completionTokens: usage.output_tokens,
+            cachedTokens,
+          });
+        }
+      },
+    },
+  };
+
+  /**
+   * Finalize the stream - close open items and emit completed
+   */
+  const finalizeStream = (): void => {
+    closeOpenStreams();
+    emitResponseCompleted(config);
+    writeDone(config.res);
+  };
+
+  return { handlers, state, finalizeStream };
+}
+
+/* =============================================================================
+ * NON-STREAMING AGGREGATOR
+ * ============================================================================= */
+
+/**
+ * Aggregator for non-streaming responses
+ */
+export interface ResponseAggregator {
+  textChunks: string[];
+  reasoningChunks: string[];
+  toolCalls: Map<
+    string,
+    {
+      id: string;
+      name: string;
+      arguments: string;
+    }
+  >;
+  toolOutputs: Map<string, string>;
+  usage: {
+    inputTokens: number;
+    outputTokens: number;
+    reasoningTokens: number;
+    cachedTokens: number;
+  };
+  addText: (text: string) => void;
+  addReasoning: (text: string) => void;
+  getText: () => string;
+  getReasoning: () => string;
+}
+
+/**
+ * Create an aggregator for non-streaming responses
+ */
+export function createResponseAggregator(): ResponseAggregator {
+  const aggregator: ResponseAggregator = {
+    textChunks: [],
+    reasoningChunks: [],
+    toolCalls: new Map(),
+    toolOutputs: new Map(),
+    usage: {
+      inputTokens: 0,
+      outputTokens: 0,
+      reasoningTokens: 0,
+      cachedTokens: 0,
+    },
+    addText: (text: string) => {
+      aggregator.textChunks.push(text);
+    },
+    addReasoning: (text: string) => {
+      aggregator.reasoningChunks.push(text);
+    },
+    getText: () => aggregator.textChunks.join(''),
+    getReasoning: () => aggregator.reasoningChunks.join(''),
+  };
+  return aggregator;
+}
+
+/**
+ * Build a non-streaming response from aggregator
+ * Includes all required fields per Open Responses spec
+ */
+export function buildAggregatedResponse(
+  context: ResponseContext,
+  aggregator: ResponseAggregator,
+): Response {
+  const output: Response['output'] = [];
+
+  // Add reasoning item if present
+  const reasoningText = aggregator.getReasoning();
+  if (reasoningText) {
+    output.push({
+      type: 'reasoning',
+      id: `reason_${Date.now().toString(36)}`,
+      status: 'completed',
+      content: [{ type: 'reasoning_text', text: reasoningText }],
+      summary: [],
+    });
+  }
+
+  // Add function calls and outputs
+  for (const [callId, tc] of aggregator.toolCalls) {
+    output.push({
+      type: 'function_call',
+      id: `fc_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 6)}`,
+      call_id: callId,
+      name: tc.name,
+      arguments: tc.arguments,
+      status: 'completed',
+    });
+
+    const toolOutput = aggregator.toolOutputs.get(callId);
+    if (toolOutput) {
+      output.push({
+        type: 'function_call_output',
+        id: `fco_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 6)}`,
+        call_id: callId,
+        output: toolOutput,
+        status: 'completed',
+      });
+    }
+  }
+
+  // Add message item if there's text (or always add one if no other output)
+  const text = aggregator.getText();
+  if (text || output.length === 0) {
+    output.push({
+      type: 'message',
+      id: `msg_${Date.now().toString(36)}`,
+      role: 'assistant',
+      status: 'completed',
+      content: text ? [{ type: 'output_text', text, annotations: [], logprobs: [] }] : [],
+    });
+  }
+
+  return {
+    // Required fields per Open Responses spec
+    id: context.responseId,
+    object: 'response',
+    created_at: context.createdAt,
+    completed_at: Math.floor(Date.now() / 1000),
+    status: 'completed',
+    incomplete_details: null,
+    model: context.model,
+    previous_response_id: context.previousResponseId ?? null,
+    instructions: context.instructions ?? null,
+    output,
+    error: null,
+    tools: [],
+    tool_choice: 'auto',
+    truncation: 'disabled',
+    parallel_tool_calls: true,
+    text: { format: { type: 'text' } },
+    temperature: 1,
+    top_p: 1,
+    presence_penalty: 0,
+    frequency_penalty: 0,
+    top_logprobs: 0,
+    reasoning: null,
+    user: null,
+    usage: {
+      input_tokens: aggregator.usage.inputTokens,
+      output_tokens: aggregator.usage.outputTokens,
+      total_tokens: aggregator.usage.inputTokens + aggregator.usage.outputTokens,
+      input_tokens_details: { cached_tokens: aggregator.usage.cachedTokens },
+      output_tokens_details: { reasoning_tokens: aggregator.usage.reasoningTokens },
+    },
+    max_output_tokens: null,
+    max_tool_calls: null,
+    store: false,
+    background: false,
+    service_tier: 'default',
+    metadata: {},
+    safety_identifier: null,
+    prompt_cache_key: null,
+  };
+}
+
+/**
+ * Create event handlers for non-streaming aggregation
+ */
+export function createAggregatorEventHandlers(aggregator: ResponseAggregator): Record<
+  string,
+  {
+    handle: (event: string, data: unknown) => void;
+  }
+> {
+  const activeToolCalls = new Set<string>();
+
+  return {
+    on_message_delta: {
+      handle: (_event: string, data: unknown): void => {
+        const deltaData = data as { delta?: { content?: Array<{ type: string; text?: string }> } };
+        const content = deltaData?.delta?.content;
+
+        if (Array.isArray(content)) {
+          for (const part of content) {
+            if (part.type === 'text' && part.text) {
+              aggregator.addText(part.text);
+            }
+          }
+        }
+      },
+    },
+
+    on_reasoning_delta: {
+      handle: (_event: string, data: unknown): void => {
+        const deltaData = data as {
+          delta?: { content?: Array<{ type: string; text?: string; think?: string }> };
+        };
+        const content = deltaData?.delta?.content;
+
+        if (Array.isArray(content)) {
+          for (const part of content) {
+            const text = part.think || part.text;
+            if (text) {
+              aggregator.addReasoning(text);
+            }
+          }
+        }
+      },
+    },
+
+    on_run_step: {
+      handle: (_event: string, data: unknown): void => {
+        const stepData = data as {
+          stepDetails?: { type: string; tool_calls?: Array<{ id?: string; name?: string }> };
+        };
+        const stepDetails = stepData?.stepDetails;
+
+        if (stepDetails?.type === 'tool_calls' && stepDetails.tool_calls) {
+          for (const tc of stepDetails.tool_calls) {
+            const callId = tc.id ?? '';
+            const name = tc.name ?? '';
+
+            if (callId && !activeToolCalls.has(callId)) {
+              activeToolCalls.add(callId);
+              aggregator.toolCalls.set(callId, { id: callId, name, arguments: '' });
+            }
+          }
+        }
+      },
+    },
+
+    on_run_step_delta: {
+      handle: (_event: string, data: unknown): void => {
+        const deltaData = data as {
+          delta?: { type: string; tool_calls?: Array<{ index?: number; args?: string }> };
+        };
+        const delta = deltaData?.delta;
+
+        if (delta?.type === 'tool_calls' && delta.tool_calls) {
+          for (const tc of delta.tool_calls) {
+            const args = tc.args ?? '';
+            if (!args) {
+              continue;
+            }
+
+            const toolCallsArray = Array.from(activeToolCalls);
+            const callId = toolCallsArray[tc.index ?? 0];
+
+            if (callId) {
+              const existing = aggregator.toolCalls.get(callId);
+              if (existing) {
+                existing.arguments += args;
+              }
+            }
+          }
+        }
+      },
+    },
+
+    on_tool_end: {
+      handle: (_event: string, data: unknown): void => {
+        const toolData = data as { tool_call_id?: string; output?: string };
+        const callId = toolData?.tool_call_id;
+        const output = toolData?.output ?? '';
+
+        if (callId) {
+          aggregator.toolOutputs.set(callId, output);
+        }
+      },
+    },
+
+    on_chat_model_end: {
+      handle: (_event: string, data: unknown): void => {
+        const endData = data as {
+          output?: {
+            usage_metadata?: {
+              input_tokens?: number;
+              output_tokens?: number;
+              // OpenAI format
+              input_token_details?: {
+                cache_creation?: number;
+                cache_read?: number;
+              };
+              // Anthropic format
+              cache_creation_input_tokens?: number;
+              cache_read_input_tokens?: number;
+            };
+          };
+        };
+
+        const usage = endData?.output?.usage_metadata;
+        if (usage) {
+          aggregator.usage.inputTokens = usage.input_tokens ?? 0;
+          aggregator.usage.outputTokens = usage.output_tokens ?? 0;
+
+          // Extract cached tokens from either OpenAI or Anthropic format
+          aggregator.usage.cachedTokens =
+            (usage.input_token_details?.cache_read ?? 0) + (usage.cache_read_input_tokens ?? 0);
+        }
+      },
+    },
+  };
+}
diff --git a/packages/api/src/agents/responses/types.ts b/packages/api/src/agents/responses/types.ts
new file mode 100644
index 000000000000..65e5887ab88e
--- /dev/null
+++ b/packages/api/src/agents/responses/types.ts
@@ -0,0 +1,779 @@
+/**
+ * Open Responses API Types
+ *
+ * Types following the Open Responses specification for building multi-provider,
+ * interoperable LLM interfaces. Items are the fundamental unit of context,
+ * and streaming uses semantic events rather than simple deltas.
+ *
+ * @see https://openresponses.org/specification
+ */
+
+/* =============================================================================
+ * ENUMS
+ * ============================================================================= */
+
+/** Item status lifecycle */
+export type ItemStatus = 'in_progress' | 'incomplete' | 'completed';
+
+/** Response status lifecycle */
+export type ResponseStatus = 'in_progress' | 'completed' | 'failed' | 'incomplete';
+
+/** Message roles */
+export type MessageRole = 'user' | 'assistant' | 'system' | 'developer';
+
+/** Tool choice options */
+export type ToolChoiceValue = 'none' | 'auto' | 'required';
+
+/** Truncation options */
+export type TruncationValue = 'auto' | 'disabled';
+
+/** Service tier options */
+export type ServiceTier = 'auto' | 'default' | 'flex' | 'priority';
+
+/** Reasoning effort levels */
+export type ReasoningEffort = 'none' | 'low' | 'medium' | 'high' | 'xhigh';
+
+/** Reasoning summary options */
+export type ReasoningSummary = 'concise' | 'detailed' | 'auto';
+
+/* =============================================================================
+ * INPUT CONTENT TYPES
+ * ============================================================================= */
+
+/** Text input content */
+export interface InputTextContent {
+  type: 'input_text';
+  text: string;
+}
+
+/** Image input content */
+export interface InputImageContent {
+  type: 'input_image';
+  image_url?: string;
+  file_id?: string;
+  detail?: 'auto' | 'low' | 'high';
+}
+
+/** File input content */
+export interface InputFileContent {
+  type: 'input_file';
+  file_id?: string;
+  file_data?: string;
+  filename?: string;
+}
+
+/** Union of all input content types */
+export type InputContent = InputTextContent | InputImageContent | InputFileContent;
+
+/* =============================================================================
+ * OUTPUT CONTENT TYPES
+ * ============================================================================= */
+
+/** Log probability for a token */
+export interface LogProb {
+  token: string;
+  logprob: number;
+  bytes?: number[];
+  top_logprobs?: TopLogProb[];
+}
+
+/** Top log probability entry */
+export interface TopLogProb {
+  token: string;
+  logprob: number;
+  bytes?: number[];
+}
+
+/** Text output content */
+export interface OutputTextContent {
+  type: 'output_text';
+  text: string;
+  annotations: Annotation[];
+  logprobs: LogProb[];
+}
+
+/** Refusal content */
+export interface RefusalContent {
+  type: 'refusal';
+  refusal: string;
+}
+
+/** Union of model output content types */
+export type ModelContent = OutputTextContent | RefusalContent;
+
+/* =============================================================================
+ * ANNOTATIONS
+ * ============================================================================= */
+
+/** URL citation annotation */
+export interface UrlCitationAnnotation {
+  type: 'url_citation';
+  url: string;
+  title?: string;
+  start_index: number;
+  end_index: number;
+}
+
+/** File citation annotation */
+export interface FileCitationAnnotation {
+  type: 'file_citation';
+  file_id: string;
+  start_index: number;
+  end_index: number;
+}
+
+/** Union of annotation types */
+export type Annotation = UrlCitationAnnotation | FileCitationAnnotation;
+
+/* =============================================================================
+ * REASONING CONTENT
+ * ============================================================================= */
+
+/** Reasoning text content */
+export interface ReasoningTextContent {
+  type: 'reasoning_text';
+  text: string;
+}
+
+/** Summary text content */
+export interface SummaryTextContent {
+  type: 'summary_text';
+  text: string;
+}
+
+/** Reasoning content union */
+export type ReasoningContent = ReasoningTextContent;
+
+/* =============================================================================
+ * INPUT ITEMS (for request)
+ * ============================================================================= */
+
+/** System message input item */
+export interface SystemMessageItemParam {
+  type: 'message';
+  role: 'system';
+  content: string | InputContent[];
+}
+
+/** Developer message input item */
+export interface DeveloperMessageItemParam {
+  type: 'message';
+  role: 'developer';
+  content: string | InputContent[];
+}
+
+/** User message input item */
+export interface UserMessageItemParam {
+  type: 'message';
+  role: 'user';
+  content: string | InputContent[];
+}
+
+/** Assistant message input item */
+export interface AssistantMessageItemParam {
+  type: 'message';
+  role: 'assistant';
+  content: string | ModelContent[];
+}
+
+/** Function call input item (for providing context) */
+export interface FunctionCallItemParam {
+  type: 'function_call';
+  id: string;
+  call_id: string;
+  name: string;
+  arguments: string;
+  status?: ItemStatus;
+}
+
+/** Function call output input item (for providing tool results) */
+export interface FunctionCallOutputItemParam {
+  type: 'function_call_output';
+  call_id: string;
+  output: string;
+  status?: ItemStatus;
+}
+
+/** Reasoning input item */
+export interface ReasoningItemParam {
+  type: 'reasoning';
+  id?: string;
+  content?: ReasoningContent[];
+  encrypted_content?: string;
+  summary?: SummaryTextContent[];
+  status?: ItemStatus;
+}
+
+/** Item reference (for referencing existing items) */
+export interface ItemReferenceParam {
+  type: 'item_reference';
+  id: string;
+}
+
+/** Union of all input item types */
+export type InputItem =
+  | SystemMessageItemParam
+  | DeveloperMessageItemParam
+  | UserMessageItemParam
+  | AssistantMessageItemParam
+  | FunctionCallItemParam
+  | FunctionCallOutputItemParam
+  | ReasoningItemParam
+  | ItemReferenceParam;
+
+/* =============================================================================
+ * OUTPUT ITEMS (in response)
+ * ============================================================================= */
+
+/** Message output item */
+export interface MessageItem {
+  type: 'message';
+  id: string;
+  role: 'assistant';
+  status: ItemStatus;
+  content: ModelContent[];
+}
+
+/** Function call output item */
+export interface FunctionCallItem {
+  type: 'function_call';
+  id: string;
+  call_id: string;
+  name: string;
+  arguments: string;
+  status: ItemStatus;
+}
+
+/** Function call output result item (internal tool execution result) */
+export interface FunctionCallOutputItem {
+  type: 'function_call_output';
+  id: string;
+  call_id: string;
+  output: string;
+  status: ItemStatus;
+}
+
+/** Reasoning output item */
+export interface ReasoningItem {
+  type: 'reasoning';
+  id: string;
+  status?: ItemStatus;
+  content?: ReasoningContent[];
+  encrypted_content?: string;
+  /** Required per Open Responses spec - summary content parts */
+  summary: SummaryTextContent[];
+}
+
+/** Union of all output item types */
+export type OutputItem = MessageItem | FunctionCallItem | FunctionCallOutputItem | ReasoningItem;
+
+/* =============================================================================
+ * TOOLS
+ * ============================================================================= */
+
+/** Function tool definition */
+export interface FunctionTool {
+  type: 'function';
+  name: string;
+  description?: string;
+  parameters?: Record<string, unknown>;
+  strict?: boolean;
+}
+
+/** Hosted tool (provider-specific) */
+export interface HostedTool {
+  type: string; // e.g., 'librechat:web_search'
+  [key: string]: unknown;
+}
+
+/** Union of tool types */
+export type Tool = FunctionTool | HostedTool;
+
+/** Specific function tool choice */
+export interface FunctionToolChoice {
+  type: 'function';
+  name: string;
+}
+
+/** Tool choice parameter */
+export type ToolChoice = ToolChoiceValue | FunctionToolChoice;
+
+/* =============================================================================
+ * REQUEST
+ * ============================================================================= */
+
+/** Reasoning configuration */
+export interface ReasoningConfig {
+  effort?: ReasoningEffort;
+  summary?: ReasoningSummary;
+}
+
+/** Text output configuration */
+export interface TextConfig {
+  format?: {
+    type: 'text' | 'json_object' | 'json_schema';
+    json_schema?: Record<string, unknown>;
+  };
+}
+
+/** Stream options */
+export interface StreamOptions {
+  include_usage?: boolean;
+}
+
+/** Metadata (key-value pairs) */
+export type Metadata = Record<string, string>;
+
+/** Open Responses API Request */
+export interface ResponseRequest {
+  /** Model/agent ID to use */
+  model: string;
+
+  /** Input context - string or array of items */
+  input: string | InputItem[];
+
+  /** Previous response ID for conversation continuation */
+  previous_response_id?: string;
+
+  /** Tools available to the model */
+  tools?: Tool[];
+
+  /** Tool choice configuration */
+  tool_choice?: ToolChoice;
+
+  /** Whether to stream the response */
+  stream?: boolean;
+
+  /** Stream options */
+  stream_options?: StreamOptions;
+
+  /** Additional instructions */
+  instructions?: string;
+
+  /** Maximum output tokens */
+  max_output_tokens?: number;
+
+  /** Maximum tool calls */
+  max_tool_calls?: number;
+
+  /** Sampling temperature */
+  temperature?: number;
+
+  /** Top-p sampling */
+  top_p?: number;
+
+  /** Presence penalty */
+  presence_penalty?: number;
+
+  /** Frequency penalty */
+  frequency_penalty?: number;
+
+  /** Reasoning configuration */
+  reasoning?: ReasoningConfig;
+
+  /** Text output configuration */
+  text?: TextConfig;
+
+  /** Truncation behavior */
+  truncation?: TruncationValue;
+
+  /** Service tier */
+  service_tier?: ServiceTier;
+
+  /** Whether to store the response */
+  store?: boolean;
+
+  /** Metadata */
+  metadata?: Metadata;
+
+  /** Whether model can call multiple tools in parallel */
+  parallel_tool_calls?: boolean;
+
+  /** User identifier for safety */
+  user?: string;
+}
+
+/* =============================================================================
+ * RESPONSE
+ * ============================================================================= */
+
+/** Token usage details */
+export interface InputTokensDetails {
+  cached_tokens: number;
+}
+
+/** Output tokens details */
+export interface OutputTokensDetails {
+  reasoning_tokens: number;
+}
+
+/** Token usage statistics */
+export interface Usage {
+  input_tokens: number;
+  output_tokens: number;
+  total_tokens: number;
+  input_tokens_details: InputTokensDetails;
+  output_tokens_details: OutputTokensDetails;
+}
+
+/** Incomplete details */
+export interface IncompleteDetails {
+  reason: 'max_output_tokens' | 'max_tool_calls' | 'content_filter' | 'other';
+}
+
+/** Error object */
+export interface ResponseError {
+  type: 'server_error' | 'invalid_request' | 'not_found' | 'model_error' | 'too_many_requests';
+  code?: string;
+  message: string;
+  param?: string;
+}
+
+/** Text field configuration */
+export interface TextField {
+  format?: {
+    type: 'text' | 'json_object' | 'json_schema';
+    json_schema?: Record<string, unknown>;
+  };
+}
+
+/** Open Responses API Response - All required fields per spec */
+export interface Response {
+  /** Response ID */
+  id: string;
+
+  /** Object type - always "response" */
+  object: 'response';
+
+  /** Creation timestamp (Unix seconds) */
+  created_at: number;
+
+  /** Completion timestamp (Unix seconds) - null if not completed */
+  completed_at: number | null;
+
+  /** Response status */
+  status: ResponseStatus;
+
+  /** Incomplete details - null if not incomplete */
+  incomplete_details: IncompleteDetails | null;
+
+  /** Model that generated the response */
+  model: string;
+
+  /** Previous response ID - null if not a continuation */
+  previous_response_id: string | null;
+
+  /** Instructions used - null if none */
+  instructions: string | null;
+
+  /** Output items */
+  output: OutputItem[];
+
+  /** Error - null if no error */
+  error: ResponseError | null;
+
+  /** Tools available */
+  tools: Tool[];
+
+  /** Tool choice setting */
+  tool_choice: ToolChoice;
+
+  /** Truncation setting used */
+  truncation: TruncationValue;
+
+  /** Whether parallel tool calls were allowed */
+  parallel_tool_calls: boolean;
+
+  /** Text configuration used */
+  text: TextField;
+
+  /** Temperature used */
+  temperature: number;
+
+  /** Top-p used */
+  top_p: number;
+
+  /** Presence penalty used */
+  presence_penalty: number;
+
+  /** Frequency penalty used */
+  frequency_penalty: number;
+
+  /** Top logprobs - number of most likely tokens to return */
+  top_logprobs: number;
+
+  /** Reasoning configuration - null if none */
+  reasoning: ReasoningConfig | null;
+
+  /** User identifier - null if none */
+  user: string | null;
+
+  /** Token usage - null if not available */
+  usage: Usage | null;
+
+  /** Max output tokens - null if not set */
+  max_output_tokens: number | null;
+
+  /** Max tool calls - null if not set */
+  max_tool_calls: number | null;
+
+  /** Whether response was stored */
+  store: boolean;
+
+  /** Whether request was run in background */
+  background: boolean;
+
+  /** Service tier used */
+  service_tier: string;
+
+  /** Metadata */
+  metadata: Metadata;
+
+  /** Safety identifier - null if none */
+  safety_identifier: string | null;
+
+  /** Prompt cache key - null if none */
+  prompt_cache_key: string | null;
+}
+
+/* =============================================================================
+ * STREAMING EVENTS
+ * ============================================================================= */
+
+/** Base event structure */
+export interface BaseEvent {
+  type: string;
+  sequence_number: number;
+}
+
+/** Response created event (first event in stream) */
+export interface ResponseCreatedEvent extends BaseEvent {
+  type: 'response.created';
+  response: Response;
+}
+
+/** Response in_progress event */
+export interface ResponseInProgressEvent extends BaseEvent {
+  type: 'response.in_progress';
+  response: Response;
+}
+
+/** Response completed event */
+export interface ResponseCompletedEvent extends BaseEvent {
+  type: 'response.completed';
+  response: Response;
+}
+
+/** Response failed event */
+export interface ResponseFailedEvent extends BaseEvent {
+  type: 'response.failed';
+  response: Response;
+}
+
+/** Response incomplete event */
+export interface ResponseIncompleteEvent extends BaseEvent {
+  type: 'response.incomplete';
+  response: Response;
+}
+
+/** Output item added event */
+export interface OutputItemAddedEvent extends BaseEvent {
+  type: 'response.output_item.added';
+  output_index: number;
+  item: OutputItem;
+}
+
+/** Output item done event */
+export interface OutputItemDoneEvent extends BaseEvent {
+  type: 'response.output_item.done';
+  output_index: number;
+  item: OutputItem;
+}
+
+/** Content part added event */
+export interface ContentPartAddedEvent extends BaseEvent {
+  type: 'response.content_part.added';
+  item_id: string;
+  output_index: number;
+  content_index: number;
+  part: ModelContent | ReasoningContent;
+}
+
+/** Content part done event */
+export interface ContentPartDoneEvent extends BaseEvent {
+  type: 'response.content_part.done';
+  item_id: string;
+  output_index: number;
+  content_index: number;
+  part: ModelContent | ReasoningContent;
+}
+
+/** Output text delta event */
+export interface OutputTextDeltaEvent extends BaseEvent {
+  type: 'response.output_text.delta';
+  item_id: string;
+  output_index: number;
+  content_index: number;
+  delta: string;
+  logprobs: LogProb[];
+}
+
+/** Output text done event */
+export interface OutputTextDoneEvent extends BaseEvent {
+  type: 'response.output_text.done';
+  item_id: string;
+  output_index: number;
+  content_index: number;
+  text: string;
+  logprobs: LogProb[];
+}
+
+/** Refusal delta event */
+export interface RefusalDeltaEvent extends BaseEvent {
+  type: 'response.refusal.delta';
+  item_id: string;
+  output_index: number;
+  content_index: number;
+  delta: string;
+}
+
+/** Refusal done event */
+export interface RefusalDoneEvent extends BaseEvent {
+  type: 'response.refusal.done';
+  item_id: string;
+  output_index: number;
+  content_index: number;
+  refusal: string;
+}
+
+/** Function call arguments delta event */
+export interface FunctionCallArgumentsDeltaEvent extends BaseEvent {
+  type: 'response.function_call_arguments.delta';
+  item_id: string;
+  output_index: number;
+  call_id: string;
+  delta: string;
+}
+
+/** Function call arguments done event */
+export interface FunctionCallArgumentsDoneEvent extends BaseEvent {
+  type: 'response.function_call_arguments.done';
+  item_id: string;
+  output_index: number;
+  call_id: string;
+  arguments: string;
+}
+
+/** Reasoning delta event */
+export interface ReasoningDeltaEvent extends BaseEvent {
+  type: 'response.reasoning.delta';
+  item_id: string;
+  output_index: number;
+  content_index: number;
+  delta: string;
+}
+
+/** Reasoning done event */
+export interface ReasoningDoneEvent extends BaseEvent {
+  type: 'response.reasoning.done';
+  item_id: string;
+  output_index: number;
+  content_index: number;
+  text: string;
+}
+
+/** Error event */
+export interface ErrorEvent extends BaseEvent {
+  type: 'error';
+  error: ResponseError;
+}
+
+/* =============================================================================
+ * LIBRECHAT EXTENSION TYPES
+ * Per Open Responses spec, custom types MUST be prefixed with implementor slug
+ * @see https://openresponses.org/specification#extending-streaming-events
+ * ============================================================================= */
+
+/** Attachment content types for LibreChat extensions */
+export interface LibreChatAttachmentContent {
+  /** File ID in LibreChat storage */
+  file_id?: string;
+  /** Original filename */
+  filename?: string;
+  /** MIME type */
+  type?: string;
+  /** URL to access the file */
+  url?: string;
+  /** Base64-encoded image data (for inline images) */
+  image_url?: string;
+  /** Width for images */
+  width?: number;
+  /** Height for images */
+  height?: number;
+  /** Associated tool call ID */
+  tool_call_id?: string;
+  /** Additional metadata */
+  [key: string]: unknown;
+}
+
+/**
+ * LibreChat attachment event - custom streaming event for file/image attachments
+ * Follows Open Responses extension pattern with librechat: prefix
+ */
+export interface LibreChatAttachmentEvent extends BaseEvent {
+  type: 'librechat:attachment';
+  /** The attachment data */
+  attachment: LibreChatAttachmentContent;
+  /** Associated message ID */
+  message_id?: string;
+  /** Associated conversation ID */
+  conversation_id?: string;
+}
+
+/** Union of all streaming events (including LibreChat extensions) */
+export type ResponseEvent =
+  | ResponseCreatedEvent
+  | ResponseInProgressEvent
+  | ResponseCompletedEvent
+  | ResponseFailedEvent
+  | ResponseIncompleteEvent
+  | OutputItemAddedEvent
+  | OutputItemDoneEvent
+  | ContentPartAddedEvent
+  | ContentPartDoneEvent
+  | OutputTextDeltaEvent
+  | OutputTextDoneEvent
+  | RefusalDeltaEvent
+  | RefusalDoneEvent
+  | FunctionCallArgumentsDeltaEvent
+  | FunctionCallArgumentsDoneEvent
+  | ReasoningDeltaEvent
+  | ReasoningDoneEvent
+  | ErrorEvent
+  // LibreChat extensions (prefixed per Open Responses spec)
+  | LibreChatAttachmentEvent;
+
+/* =============================================================================
+ * INTERNAL TYPES
+ * ============================================================================= */
+
+/** Context for building responses */
+export interface ResponseContext {
+  /** Response ID */
+  responseId: string;
+  /** Model/agent ID */
+  model: string;
+  /** Creation timestamp */
+  createdAt: number;
+  /** Previous response ID */
+  previousResponseId?: string;
+  /** Instructions */
+  instructions?: string;
+}
+
+/** Validation result for requests */
+export interface RequestValidationResult {
+  valid: boolean;
+  request?: ResponseRequest;
+  error?: string;
+}
diff --git a/packages/api/src/agents/run.ts b/packages/api/src/agents/run.ts
index 6b18c73799e9..e555d826f42f 100644
--- a/packages/api/src/agents/run.ts
+++ b/packages/api/src/agents/run.ts
@@ -1,9 +1,11 @@
 import { Run, Providers } from '@librechat/agents';
 import { providerEndpointMap, KnownEndpoints } from 'librechat-data-provider';
+import type { BaseMessage } from '@langchain/core/messages';
 import type {
   MultiAgentGraphConfig,
   OpenAIClientOptions,
   StandardGraphConfig,
+  LCToolRegistry,
   AgentInputs,
   GenericTool,
   RunConfig,
@@ -14,6 +16,121 @@ import type { Agent } from 'librechat-data-provider';
 import type * as t from '~/types';
 import { resolveHeaders, createSafeUser } from '~/utils/env';
 
+/** Tool search tool name constant */
+const TOOL_SEARCH_NAME = 'tool_search';
+
+/** Expected shape of JSON tool search results */
+interface ToolSearchJsonResult {
+  found?: number;
+  tools?: Array<{ name: string }>;
+}
+
+/**
+ * Parses tool names from JSON-formatted tool_search output.
+ * Format: { "found": N, "tools": [{ "name": "tool_name", ... }], ... }
+ *
+ * @param content - The JSON string content
+ * @param discoveredTools - Set to add discovered tool names to
+ * @returns true if parsing succeeded, false otherwise
+ */
+function parseToolSearchJson(content: string, discoveredTools: Set<string>): boolean {
+  try {
+    const parsed = JSON.parse(content) as ToolSearchJsonResult;
+    if (!parsed.tools || !Array.isArray(parsed.tools)) {
+      return false;
+    }
+    for (const tool of parsed.tools) {
+      if (tool.name && typeof tool.name === 'string') {
+        discoveredTools.add(tool.name);
+      }
+    }
+    return parsed.tools.length > 0;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Parses tool names from legacy text-formatted tool_search output.
+ * Format: "- tool_name (score: X.XX)"
+ *
+ * @param content - The text content
+ * @param discoveredTools - Set to add discovered tool names to
+ */
+function parseToolSearchLegacy(content: string, discoveredTools: Set<string>): void {
+  const toolNameRegex = /^- ([^\s(]+)\s*\(score:/gm;
+  let match: RegExpExecArray | null;
+  while ((match = toolNameRegex.exec(content)) !== null) {
+    const toolName = match[1];
+    if (toolName) {
+      discoveredTools.add(toolName);
+    }
+  }
+}
+
+/**
+ * Extracts discovered tool names from message history by parsing tool_search results.
+ * When the LLM calls tool_search, the result contains tool names that were discovered.
+ * These tools should have defer_loading overridden to false on subsequent turns.
+ *
+ * Supports both:
+ * - New JSON format: { "tools": [{ "name": "tool_name" }] }
+ * - Legacy text format: "- tool_name (score: X.XX)"
+ *
+ * @param messages - The conversation message history
+ * @returns Set of tool names that were discovered via tool_search
+ */
+export function extractDiscoveredToolsFromHistory(messages: BaseMessage[]): Set<string> {
+  const discoveredTools = new Set<string>();
+
+  for (const message of messages) {
+    const msgType = message._getType?.() ?? message.constructor?.name ?? '';
+    if (msgType !== 'tool') {
+      continue;
+    }
+
+    const name = (message as { name?: string }).name;
+    if (name !== TOOL_SEARCH_NAME) {
+      continue;
+    }
+
+    const content = message.content;
+    if (typeof content !== 'string') {
+      continue;
+    }
+
+    /** Try JSON format first (new), fall back to regex (legacy) */
+    if (!parseToolSearchJson(content, discoveredTools)) {
+      parseToolSearchLegacy(content, discoveredTools);
+    }
+  }
+
+  return discoveredTools;
+}
+
+/**
+ * Overrides defer_loading to false for tools that were already discovered via tool_search.
+ * This prevents the LLM from having to re-discover tools on every turn.
+ *
+ * @param toolRegistry - The tool registry to modify (mutated in place)
+ * @param discoveredTools - Set of tool names that were previously discovered
+ * @returns Number of tools that had defer_loading overridden
+ */
+export function overrideDeferLoadingForDiscoveredTools(
+  toolRegistry: LCToolRegistry,
+  discoveredTools: Set<string>,
+): number {
+  let overrideCount = 0;
+  for (const toolName of discoveredTools) {
+    const toolDef = toolRegistry.get(toolName);
+    if (toolDef && toolDef.defer_loading === true) {
+      toolDef.defer_loading = false;
+      overrideCount++;
+    }
+  }
+  return overrideCount;
+}
+
 const customProviders = new Set([
   Providers.XAI,
   Providers.DEEPSEEK,
@@ -48,6 +165,9 @@ type RunAgent = Omit<Agent, 'tools'> & {
   maxContextTokens?: number;
   useLegacyContent?: boolean;
   toolContextMap?: Record<string, string>;
+  toolRegistry?: LCToolRegistry;
+  /** Precomputed flag indicating if any tools have defer_loading enabled */
+  hasDeferredTools?: boolean;
 };
 
 /**
@@ -60,12 +180,16 @@ type RunAgent = Omit<Agent, 'tools'> & {
  * @param options.customHandlers - Custom event handlers.
  * @param options.streaming - Whether to use streaming.
  * @param options.streamUsage - Whether to stream usage information.
+ * @param options.messages - Optional message history to extract discovered tools from.
+ *   When provided, tools that were previously discovered via tool_search will have
+ *   their defer_loading overridden to false, preventing redundant re-discovery.
  * @returns {Promise<Run<IState>>} A promise that resolves to a new Run instance.
  */
 export async function createRun({
   runId,
   signal,
   agents,
+  messages,
   requestBody,
   user,
   tokenCounter,
@@ -81,9 +205,26 @@ export async function createRun({
   streamUsage?: boolean;
   requestBody?: t.RequestBody;
   user?: IUser;
+  /** Message history for extracting previously discovered tools */
+  messages?: BaseMessage[];
 } & Pick<RunConfig, 'tokenCounter' | 'customHandlers' | 'indexTokenCountMap'>): Promise<
   Run<IState>
 > {
+  /**
+   * Only extract discovered tools if:
+   * 1. We have message history to parse
+   * 2. At least one agent has deferred tools (using precomputed flag)
+   *
+   * This optimization avoids iterating through messages in the ~95% of cases
+   * where no agent uses deferred tool loading.
+   */
+  const hasAnyDeferredTools = agents.some((agent) => agent.hasDeferredTools === true);
+
+  const discoveredTools =
+    hasAnyDeferredTools && messages?.length
+      ? extractDiscoveredToolsFromHistory(messages)
+      : new Set<string>();
+
   const agentInputs: AgentInputs[] = [];
   const buildAgentContext = (agent: RunAgent) => {
     const provider =
@@ -135,6 +276,14 @@ export async function createRun({
       llmConfig.usage = true;
     }
 
+    /**
+     * Override defer_loading for tools that were discovered in previous turns.
+     * This prevents the LLM from having to re-discover tools via tool_search.
+     */
+    if (discoveredTools.size > 0 && agent.toolRegistry) {
+      overrideDeferLoadingForDiscoveredTools(agent.toolRegistry, discoveredTools);
+    }
+
     const reasoningKey = getReasoningKey(provider, llmConfig, agent.endpoint);
     const agentInput: AgentInputs = {
       provider,
@@ -144,6 +293,7 @@ export async function createRun({
       tools: agent.tools,
       clientOptions: llmConfig,
       instructions: systemContent,
+      toolRegistry: agent.toolRegistry,
       maxContextTokens: agent.maxContextTokens,
       useLegacyContent: agent.useLegacyContent ?? false,
     };
diff --git a/packages/api/src/agents/validation.ts b/packages/api/src/agents/validation.ts
index 4798ffeb80ae..d427b3639ee3 100644
--- a/packages/api/src/agents/validation.ts
+++ b/packages/api/src/agents/validation.ts
@@ -51,6 +51,15 @@ export const graphEdgeSchema = z.object({
   promptKey: z.string().optional(),
 });
 
+/** Per-tool options schema (defer_loading, allowed_callers) */
+export const toolOptionsSchema = z.object({
+  defer_loading: z.boolean().optional(),
+  allowed_callers: z.array(z.enum(['direct', 'code_execution'])).optional(),
+});
+
+/** Agent tool options - map of tool_id to tool options */
+export const agentToolOptionsSchema = z.record(z.string(), toolOptionsSchema).optional();
+
 /** Base agent schema with all common fields */
 export const agentBaseSchema = z.object({
   name: z.string().nullable().optional(),
@@ -68,6 +77,7 @@ export const agentBaseSchema = z.object({
   recursion_limit: z.number().optional(),
   conversation_starters: z.array(z.string()).optional(),
   tool_resources: agentToolResourcesSchema,
+  tool_options: agentToolOptionsSchema,
   support_contact: agentSupportContactSchema,
   category: z.string().optional(),
 });
diff --git a/packages/api/src/apiKeys/handlers.ts b/packages/api/src/apiKeys/handlers.ts
new file mode 100644
index 000000000000..61d23ccde9ca
--- /dev/null
+++ b/packages/api/src/apiKeys/handlers.ts
@@ -0,0 +1,129 @@
+import type { Request, Response } from 'express';
+import type { Types } from 'mongoose';
+import { logger } from '@librechat/data-schemas';
+
+export interface ApiKeyHandlerDependencies {
+  createAgentApiKey: (params: {
+    userId: string | Types.ObjectId;
+    name: string;
+    expiresAt?: Date | null;
+  }) => Promise<{
+    id: string;
+    name: string;
+    key: string;
+    keyPrefix: string;
+    createdAt: Date;
+    expiresAt?: Date;
+  }>;
+  listAgentApiKeys: (userId: string | Types.ObjectId) => Promise<
+    Array<{
+      id: string;
+      name: string;
+      keyPrefix: string;
+      lastUsedAt?: Date;
+      expiresAt?: Date;
+      createdAt: Date;
+    }>
+  >;
+  deleteAgentApiKey: (
+    keyId: string | Types.ObjectId,
+    userId: string | Types.ObjectId,
+  ) => Promise<boolean>;
+  getAgentApiKeyById: (
+    keyId: string | Types.ObjectId,
+    userId: string | Types.ObjectId,
+  ) => Promise<{
+    id: string;
+    name: string;
+    keyPrefix: string;
+    lastUsedAt?: Date;
+    expiresAt?: Date;
+    createdAt: Date;
+  } | null>;
+}
+
+interface AuthenticatedRequest extends Request {
+  user?: {
+    id: string;
+    _id: Types.ObjectId;
+  };
+}
+
+export function createApiKeyHandlers(deps: ApiKeyHandlerDependencies) {
+  async function createApiKey(req: AuthenticatedRequest, res: Response) {
+    try {
+      const { name, expiresAt } = req.body;
+
+      if (!name || typeof name !== 'string' || name.trim() === '') {
+        return res.status(400).json({
+          error: 'API key name is required',
+        });
+      }
+
+      const result = await deps.createAgentApiKey({
+        userId: req.user?.id || '',
+        name: name.trim(),
+        expiresAt: expiresAt ? new Date(expiresAt) : null,
+      });
+
+      res.status(201).json({
+        id: result.id,
+        name: result.name,
+        key: result.key,
+        keyPrefix: result.keyPrefix,
+        createdAt: result.createdAt,
+        expiresAt: result.expiresAt,
+      });
+    } catch (error) {
+      logger.error('[createApiKey] Error creating API key:', error);
+      res.status(500).json({ error: 'Failed to create API key' });
+    }
+  }
+
+  async function listApiKeys(req: AuthenticatedRequest, res: Response) {
+    try {
+      const keys = await deps.listAgentApiKeys(req.user?.id || '');
+      res.status(200).json({ keys });
+    } catch (error) {
+      logger.error('[listApiKeys] Error listing API keys:', error);
+      res.status(500).json({ error: 'Failed to list API keys' });
+    }
+  }
+
+  async function getApiKey(req: AuthenticatedRequest, res: Response) {
+    try {
+      const key = await deps.getAgentApiKeyById(req.params.id, req.user?.id || '');
+
+      if (!key) {
+        return res.status(404).json({ error: 'API key not found' });
+      }
+
+      res.status(200).json(key);
+    } catch (error) {
+      logger.error('[getApiKey] Error getting API key:', error);
+      res.status(500).json({ error: 'Failed to get API key' });
+    }
+  }
+
+  async function deleteApiKey(req: AuthenticatedRequest, res: Response) {
+    try {
+      const deleted = await deps.deleteAgentApiKey(req.params.id, req.user?.id || '');
+
+      if (!deleted) {
+        return res.status(404).json({ error: 'API key not found' });
+      }
+
+      res.status(204).send();
+    } catch (error) {
+      logger.error('[deleteApiKey] Error deleting API key:', error);
+      res.status(500).json({ error: 'Failed to delete API key' });
+    }
+  }
+
+  return {
+    createApiKey,
+    listApiKeys,
+    getApiKey,
+    deleteApiKey,
+  };
+}
diff --git a/packages/api/src/apiKeys/index.ts b/packages/api/src/apiKeys/index.ts
new file mode 100644
index 000000000000..69fd7b5c1a38
--- /dev/null
+++ b/packages/api/src/apiKeys/index.ts
@@ -0,0 +1,4 @@
+export * from './service';
+export * from './middleware';
+export * from './handlers';
+export * from './permissions';
diff --git a/packages/api/src/apiKeys/middleware.ts b/packages/api/src/apiKeys/middleware.ts
new file mode 100644
index 000000000000..2a503536483e
--- /dev/null
+++ b/packages/api/src/apiKeys/middleware.ts
@@ -0,0 +1,163 @@
+import { logger } from '@librechat/data-schemas';
+import { ResourceType, PermissionBits, hasPermissions } from 'librechat-data-provider';
+import type { Request, Response, NextFunction } from 'express';
+import type { IUser } from '@librechat/data-schemas';
+import type { Types } from 'mongoose';
+import { getRemoteAgentPermissions } from './service';
+
+export interface ApiKeyAuthDependencies {
+  validateAgentApiKey: (apiKey: string) => Promise<{
+    userId: Types.ObjectId;
+    keyId: Types.ObjectId;
+  } | null>;
+  findUser: (query: { _id: string | Types.ObjectId }) => Promise<IUser | null>;
+}
+
+export interface RemoteAgentAccessDependencies {
+  getAgent: (query: {
+    id: string;
+  }) => Promise<{ _id: Types.ObjectId; [key: string]: unknown } | null>;
+  getEffectivePermissions: (params: {
+    userId: string;
+    role?: string;
+    resourceType: ResourceType;
+    resourceId: string | Types.ObjectId;
+  }) => Promise<number>;
+}
+
+export interface ApiKeyAuthRequest extends Request {
+  user?: IUser & { id: string };
+  apiKeyId?: Types.ObjectId;
+}
+
+export interface RemoteAgentAccessRequest extends ApiKeyAuthRequest {
+  agent?: { _id: Types.ObjectId; [key: string]: unknown };
+  agentPermissions?: number;
+}
+
+export function createRequireApiKeyAuth(deps: ApiKeyAuthDependencies) {
+  return async (req: ApiKeyAuthRequest, res: Response, next: NextFunction) => {
+    const authHeader = req.headers.authorization;
+
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({
+        error: {
+          message: 'Missing or invalid Authorization header. Expected: Bearer <api_key>',
+          type: 'invalid_request_error',
+          code: 'missing_api_key',
+        },
+      });
+    }
+
+    const apiKey = authHeader.slice(7);
+
+    if (!apiKey || apiKey.trim() === '') {
+      return res.status(401).json({
+        error: {
+          message: 'API key is required',
+          type: 'invalid_request_error',
+          code: 'missing_api_key',
+        },
+      });
+    }
+
+    try {
+      const keyValidation = await deps.validateAgentApiKey(apiKey);
+
+      if (!keyValidation) {
+        return res.status(401).json({
+          error: {
+            message: 'Invalid API key',
+            type: 'invalid_request_error',
+            code: 'invalid_api_key',
+          },
+        });
+      }
+
+      const user = await deps.findUser({ _id: keyValidation.userId });
+
+      if (!user) {
+        return res.status(401).json({
+          error: {
+            message: 'User not found for this API key',
+            type: 'invalid_request_error',
+            code: 'invalid_api_key',
+          },
+        });
+      }
+
+      user.id = (user._id as Types.ObjectId).toString();
+      req.user = user as IUser & { id: string };
+      req.apiKeyId = keyValidation.keyId;
+
+      next();
+    } catch (error) {
+      logger.error('[requireApiKeyAuth] Error validating API key:', error);
+      return res.status(500).json({
+        error: {
+          message: 'Internal server error during authentication',
+          type: 'server_error',
+          code: 'internal_error',
+        },
+      });
+    }
+  };
+}
+
+export function createCheckRemoteAgentAccess(deps: RemoteAgentAccessDependencies) {
+  return async (req: RemoteAgentAccessRequest, res: Response, next: NextFunction) => {
+    const agentId = req.body?.model || req.params?.model;
+
+    if (!agentId) {
+      return res.status(400).json({
+        error: {
+          message: 'Model (agent ID) is required',
+          type: 'invalid_request_error',
+          code: 'missing_model',
+        },
+      });
+    }
+
+    try {
+      const agent = await deps.getAgent({ id: agentId });
+
+      if (!agent) {
+        return res.status(404).json({
+          error: {
+            message: `Agent not found: ${agentId}`,
+            type: 'invalid_request_error',
+            code: 'model_not_found',
+          },
+        });
+      }
+
+      const userId = req.user?.id || '';
+
+      const permissions = await getRemoteAgentPermissions(deps, userId, req.user?.role, agent._id);
+
+      if (!hasPermissions(permissions, PermissionBits.VIEW)) {
+        return res.status(403).json({
+          error: {
+            message: `No remote access to agent: ${agentId}`,
+            type: 'permission_error',
+            code: 'access_denied',
+          },
+        });
+      }
+
+      req.agent = agent;
+      req.agentPermissions = permissions;
+
+      next();
+    } catch (error) {
+      logger.error('[checkRemoteAgentAccess] Error checking agent access:', error);
+      return res.status(500).json({
+        error: {
+          message: 'Internal server error while checking agent access',
+          type: 'server_error',
+          code: 'internal_error',
+        },
+      });
+    }
+  };
+}
diff --git a/packages/api/src/apiKeys/permissions.ts b/packages/api/src/apiKeys/permissions.ts
new file mode 100644
index 000000000000..2556f25b57b3
--- /dev/null
+++ b/packages/api/src/apiKeys/permissions.ts
@@ -0,0 +1,169 @@
+import {
+  ResourceType,
+  PrincipalType,
+  PermissionBits,
+  AccessRoleIds,
+} from 'librechat-data-provider';
+import type { Types, Model } from 'mongoose';
+
+export interface Principal {
+  type: string;
+  id: string;
+  name: string;
+  email?: string;
+  avatar?: string;
+  source?: string;
+  idOnTheSource?: string;
+  accessRoleId: string;
+  isImplicit?: boolean;
+}
+
+export interface EnricherDependencies {
+  AclEntry: Model<{
+    principalType: string;
+    principalId: Types.ObjectId;
+    resourceType: string;
+    resourceId: Types.ObjectId;
+    permBits: number;
+    roleId: Types.ObjectId;
+    grantedBy: Types.ObjectId;
+    grantedAt: Date;
+  }>;
+  AccessRole: Model<{
+    accessRoleId: string;
+    permBits: number;
+  }>;
+  logger: { error: (msg: string, ...args: unknown[]) => void };
+}
+
+export interface EnrichResult {
+  principals: Principal[];
+  entriesToBackfill: Types.ObjectId[];
+}
+
+/** Enriches REMOTE_AGENT principals with implicit AGENT owners */
+export async function enrichRemoteAgentPrincipals(
+  deps: EnricherDependencies,
+  resourceId: string | Types.ObjectId,
+  principals: Principal[],
+): Promise<EnrichResult> {
+  const { AclEntry } = deps;
+
+  const resourceObjectId =
+    typeof resourceId === 'string' && /^[a-f\d]{24}$/i.test(resourceId)
+      ? deps.AclEntry.base.Types.ObjectId.createFromHexString(resourceId)
+      : resourceId;
+
+  const agentOwnerEntries = await AclEntry.aggregate([
+    {
+      $match: {
+        resourceType: ResourceType.AGENT,
+        resourceId: resourceObjectId,
+        principalType: PrincipalType.USER,
+        permBits: { $bitsAllSet: PermissionBits.SHARE },
+      },
+    },
+    {
+      $lookup: {
+        from: 'users',
+        localField: 'principalId',
+        foreignField: '_id',
+        as: 'userInfo',
+      },
+    },
+    {
+      $project: {
+        principalId: 1,
+        userInfo: { $arrayElemAt: ['$userInfo', 0] },
+      },
+    },
+  ]);
+
+  const enrichedPrincipals = [...principals];
+  const entriesToBackfill: Types.ObjectId[] = [];
+
+  for (const entry of agentOwnerEntries) {
+    if (!entry.userInfo) {
+      continue;
+    }
+
+    const alreadyIncluded = enrichedPrincipals.some(
+      (p) => p.type === PrincipalType.USER && p.id === entry.principalId.toString(),
+    );
+
+    if (!alreadyIncluded) {
+      enrichedPrincipals.unshift({
+        type: PrincipalType.USER,
+        id: entry.userInfo._id.toString(),
+        name: entry.userInfo.name || entry.userInfo.username,
+        email: entry.userInfo.email,
+        avatar: entry.userInfo.avatar,
+        source: 'local',
+        idOnTheSource: entry.userInfo.idOnTheSource || entry.userInfo._id.toString(),
+        accessRoleId: AccessRoleIds.REMOTE_AGENT_OWNER,
+        isImplicit: true,
+      });
+
+      entriesToBackfill.push(entry.principalId);
+    }
+  }
+
+  return { principals: enrichedPrincipals, entriesToBackfill };
+}
+
+/** Backfills REMOTE_AGENT ACL entries for AGENT owners (fire-and-forget) */
+export function backfillRemoteAgentPermissions(
+  deps: EnricherDependencies,
+  resourceId: string | Types.ObjectId,
+  entriesToBackfill: Types.ObjectId[],
+): void {
+  if (entriesToBackfill.length === 0) {
+    return;
+  }
+
+  const { AclEntry, AccessRole, logger } = deps;
+
+  const resourceObjectId =
+    typeof resourceId === 'string' && /^[a-f\d]{24}$/i.test(resourceId)
+      ? AclEntry.base.Types.ObjectId.createFromHexString(resourceId)
+      : resourceId;
+
+  AccessRole.findOne({ accessRoleId: AccessRoleIds.REMOTE_AGENT_OWNER })
+    .lean()
+    .then((role) => {
+      if (!role) {
+        logger.error('[backfillRemoteAgentPermissions] REMOTE_AGENT_OWNER role not found');
+        return;
+      }
+
+      const bulkOps = entriesToBackfill.map((principalId) => ({
+        updateOne: {
+          filter: {
+            principalType: PrincipalType.USER,
+            principalId,
+            resourceType: ResourceType.REMOTE_AGENT,
+            resourceId: resourceObjectId,
+          },
+          update: {
+            $setOnInsert: {
+              principalType: PrincipalType.USER,
+              principalId,
+              principalModel: 'User',
+              resourceType: ResourceType.REMOTE_AGENT,
+              resourceId: resourceObjectId,
+              permBits: role.permBits,
+              roleId: role._id,
+              grantedBy: principalId,
+              grantedAt: new Date(),
+            },
+          },
+          upsert: true,
+        },
+      }));
+
+      return AclEntry.bulkWrite(bulkOps, { ordered: false });
+    })
+    .catch((err) => {
+      logger.error('[backfillRemoteAgentPermissions] Failed to backfill:', err);
+    });
+}
diff --git a/packages/api/src/apiKeys/service.ts b/packages/api/src/apiKeys/service.ts
new file mode 100644
index 000000000000..30ae0afb53d9
--- /dev/null
+++ b/packages/api/src/apiKeys/service.ts
@@ -0,0 +1,146 @@
+import { createMethods } from '@librechat/data-schemas';
+import { ResourceType, PermissionBits, hasPermissions } from 'librechat-data-provider';
+import type { AllMethods, IUser } from '@librechat/data-schemas';
+import type { Types } from 'mongoose';
+
+export interface ApiKeyServiceDependencies {
+  validateAgentApiKey: AllMethods['validateAgentApiKey'];
+  createAgentApiKey: AllMethods['createAgentApiKey'];
+  listAgentApiKeys: AllMethods['listAgentApiKeys'];
+  deleteAgentApiKey: AllMethods['deleteAgentApiKey'];
+  getAgentApiKeyById: AllMethods['getAgentApiKeyById'];
+  findUser: (query: { _id: string | Types.ObjectId }) => Promise<IUser | null>;
+}
+
+export interface RemoteAgentAccessResult {
+  hasAccess: boolean;
+  permissions: number;
+  agent: { _id: Types.ObjectId; [key: string]: unknown } | null;
+}
+
+export class AgentApiKeyService {
+  private deps: ApiKeyServiceDependencies;
+
+  constructor(deps: ApiKeyServiceDependencies) {
+    this.deps = deps;
+  }
+
+  async validateApiKey(apiKey: string): Promise<{
+    userId: Types.ObjectId;
+    keyId: Types.ObjectId;
+  } | null> {
+    return this.deps.validateAgentApiKey(apiKey);
+  }
+
+  async createApiKey(params: {
+    userId: string | Types.ObjectId;
+    name: string;
+    expiresAt?: Date | null;
+  }) {
+    return this.deps.createAgentApiKey(params);
+  }
+
+  async listApiKeys(userId: string | Types.ObjectId) {
+    return this.deps.listAgentApiKeys(userId);
+  }
+
+  async deleteApiKey(keyId: string | Types.ObjectId, userId: string | Types.ObjectId) {
+    return this.deps.deleteAgentApiKey(keyId, userId);
+  }
+
+  async getApiKeyById(keyId: string | Types.ObjectId, userId: string | Types.ObjectId) {
+    return this.deps.getAgentApiKeyById(keyId, userId);
+  }
+
+  async getUserFromApiKey(apiKey: string): Promise<IUser | null> {
+    const keyValidation = await this.validateApiKey(apiKey);
+    if (!keyValidation) {
+      return null;
+    }
+
+    return this.deps.findUser({ _id: keyValidation.userId });
+  }
+}
+
+export function createApiKeyServiceDependencies(
+  mongoose: typeof import('mongoose'),
+): ApiKeyServiceDependencies {
+  const methods = createMethods(mongoose);
+  return {
+    validateAgentApiKey: methods.validateAgentApiKey,
+    createAgentApiKey: methods.createAgentApiKey,
+    listAgentApiKeys: methods.listAgentApiKeys,
+    deleteAgentApiKey: methods.deleteAgentApiKey,
+    getAgentApiKeyById: methods.getAgentApiKeyById,
+    findUser: methods.findUser,
+  };
+}
+
+export interface GetRemoteAgentPermissionsDeps {
+  getEffectivePermissions: (params: {
+    userId: string;
+    role?: string;
+    resourceType: ResourceType;
+    resourceId: string | Types.ObjectId;
+  }) => Promise<number>;
+}
+
+/** AGENT owners automatically have full REMOTE_AGENT permissions */
+export async function getRemoteAgentPermissions(
+  deps: GetRemoteAgentPermissionsDeps,
+  userId: string,
+  role: string | undefined,
+  resourceId: string | Types.ObjectId,
+): Promise<number> {
+  const agentPerms = await deps.getEffectivePermissions({
+    userId,
+    role,
+    resourceType: ResourceType.AGENT,
+    resourceId,
+  });
+
+  if (hasPermissions(agentPerms, PermissionBits.SHARE)) {
+    return PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE;
+  }
+
+  return deps.getEffectivePermissions({
+    userId,
+    role,
+    resourceType: ResourceType.REMOTE_AGENT,
+    resourceId,
+  });
+}
+
+export async function checkRemoteAgentAccess(params: {
+  userId: string;
+  role?: string;
+  agentId: string;
+  getAgent: (query: {
+    id: string;
+  }) => Promise<{ _id: Types.ObjectId; [key: string]: unknown } | null>;
+  getEffectivePermissions: (params: {
+    userId: string;
+    role?: string;
+    resourceType: ResourceType;
+    resourceId: string | Types.ObjectId;
+  }) => Promise<number>;
+}): Promise<RemoteAgentAccessResult> {
+  const { userId, role, agentId, getAgent, getEffectivePermissions } = params;
+
+  const agent = await getAgent({ id: agentId });
+
+  if (!agent) {
+    return { hasAccess: false, permissions: 0, agent: null };
+  }
+
+  const permissions = await getRemoteAgentPermissions(
+    { getEffectivePermissions },
+    userId,
+    role,
+    agent._id,
+  );
+
+  const hasAccess = hasPermissions(permissions, PermissionBits.VIEW);
+
+  return { hasAccess, permissions, agent };
+}
diff --git a/packages/api/src/app/AppService.spec.ts b/packages/api/src/app/AppService.spec.ts
index 9c771b4bd6b6..a7b5a460540c 100644
--- a/packages/api/src/app/AppService.spec.ts
+++ b/packages/api/src/app/AppService.spec.ts
@@ -611,6 +611,78 @@ describe('AppService', () => {
     );
   });
 
+  it('should correctly configure Bedrock endpoint with models and inferenceProfiles', async () => {
+    const config: Partial<TCustomConfig> = {
+      endpoints: {
+        [EModelEndpoint.bedrock]: {
+          models: [
+            'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+            'us.anthropic.claude-sonnet-4-5-20250929-v1:0',
+            'global.anthropic.claude-opus-4-5-20251101-v1:0',
+          ],
+          inferenceProfiles: {
+            'us.anthropic.claude-3-7-sonnet-20250219-v1:0':
+              'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/abc123',
+            'us.anthropic.claude-sonnet-4-5-20250929-v1:0': '${BEDROCK_SONNET_45_PROFILE}',
+          },
+          availableRegions: ['us-east-1', 'us-west-2'],
+          titleConvo: true,
+          titleModel: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      },
+    };
+
+    const result = await AppService({ config });
+
+    expect(result).toEqual(
+      expect.objectContaining({
+        endpoints: expect.objectContaining({
+          [EModelEndpoint.bedrock]: expect.objectContaining({
+            models: expect.arrayContaining([
+              'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+              'us.anthropic.claude-sonnet-4-5-20250929-v1:0',
+              'global.anthropic.claude-opus-4-5-20251101-v1:0',
+            ]),
+            inferenceProfiles: expect.objectContaining({
+              'us.anthropic.claude-3-7-sonnet-20250219-v1:0':
+                'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/abc123',
+              'us.anthropic.claude-sonnet-4-5-20250929-v1:0': '${BEDROCK_SONNET_45_PROFILE}',
+            }),
+            availableRegions: expect.arrayContaining(['us-east-1', 'us-west-2']),
+            titleConvo: true,
+            titleModel: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+          }),
+        }),
+      }),
+    );
+  });
+
+  it('should configure Bedrock endpoint with only inferenceProfiles (no models array)', async () => {
+    const config: Partial<TCustomConfig> = {
+      endpoints: {
+        [EModelEndpoint.bedrock]: {
+          inferenceProfiles: {
+            'us.anthropic.claude-3-7-sonnet-20250219-v1:0': '${BEDROCK_INFERENCE_PROFILE_ARN}',
+          },
+        },
+      },
+    };
+
+    const result = await AppService({ config });
+
+    expect(result).toEqual(
+      expect.objectContaining({
+        endpoints: expect.objectContaining({
+          [EModelEndpoint.bedrock]: expect.objectContaining({
+            inferenceProfiles: expect.objectContaining({
+              'us.anthropic.claude-3-7-sonnet-20250219-v1:0': '${BEDROCK_INFERENCE_PROFILE_ARN}',
+            }),
+          }),
+        }),
+      }),
+    );
+  });
+
   it('should correctly configure all endpoint when specified', async () => {
     const config: Partial<TCustomConfig> = {
       endpoints: {
diff --git a/packages/api/src/app/permissions.spec.ts b/packages/api/src/app/permissions.spec.ts
index b84ad63498b0..a787c0c3a307 100644
--- a/packages/api/src/app/permissions.spec.ts
+++ b/packages/api/src/app/permissions.spec.ts
@@ -100,6 +100,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: false,
         [Permissions.SHARE_PUBLIC]: false,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: false,
+        [Permissions.CREATE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
     };
 
     const expectedPermissionsForAdmin = {
@@ -141,6 +147,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: false,
         [Permissions.SHARE_PUBLIC]: false,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: true,
+        [Permissions.SHARE_PUBLIC]: true,
+      },
     };
 
     expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@@ -246,6 +258,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: false,
         [Permissions.SHARE_PUBLIC]: false,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: false,
+        [Permissions.CREATE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
     };
 
     const expectedPermissionsForAdmin = {
@@ -287,6 +305,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: false,
         [Permissions.SHARE_PUBLIC]: false,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: true,
+        [Permissions.SHARE_PUBLIC]: true,
+      },
     };
 
     expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@@ -378,6 +402,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: false,
         [Permissions.SHARE_PUBLIC]: false,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: false,
+        [Permissions.CREATE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
     };
 
     const expectedPermissionsForAdmin = {
@@ -419,6 +449,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: true,
         [Permissions.SHARE_PUBLIC]: true,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: true,
+        [Permissions.SHARE_PUBLIC]: true,
+      },
     };
 
     expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@@ -523,6 +559,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: false,
         [Permissions.SHARE_PUBLIC]: false,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: false,
+        [Permissions.CREATE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
     };
 
     const expectedPermissionsForAdmin = {
@@ -564,6 +606,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: true,
         [Permissions.SHARE_PUBLIC]: true,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: true,
+        [Permissions.SHARE_PUBLIC]: true,
+      },
     };
 
     expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@@ -655,6 +703,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: false,
         [Permissions.SHARE_PUBLIC]: false,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: false,
+        [Permissions.CREATE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
     };
 
     const expectedPermissionsForAdmin = {
@@ -696,6 +750,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: true,
         [Permissions.SHARE_PUBLIC]: true,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: true,
+        [Permissions.SHARE_PUBLIC]: true,
+      },
     };
 
     expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@@ -784,6 +844,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: false,
         [Permissions.SHARE_PUBLIC]: false,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: false,
+        [Permissions.CREATE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
     };
 
     const expectedPermissionsForAdmin = {
@@ -813,6 +879,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: true,
         [Permissions.SHARE_PUBLIC]: true,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: true,
+        [Permissions.SHARE_PUBLIC]: true,
+      },
     };
 
     expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
@@ -920,6 +992,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: false,
         [Permissions.SHARE_PUBLIC]: false,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: false,
+        [Permissions.CREATE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
     };
 
     const expectedPermissionsForAdmin = {
@@ -955,6 +1033,12 @@ describe('updateInterfacePermissions - permissions', () => {
         [Permissions.SHARE]: true,
         [Permissions.SHARE_PUBLIC]: true,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: true,
+        [Permissions.SHARE_PUBLIC]: true,
+      },
     };
 
     expect(mockUpdateAccessPermissions).toHaveBeenCalledTimes(2);
diff --git a/packages/api/src/app/permissions.ts b/packages/api/src/app/permissions.ts
index bfa49e6bbd69..8f97236823cc 100644
--- a/packages/api/src/app/permissions.ts
+++ b/packages/api/src/app/permissions.ts
@@ -43,6 +43,8 @@ function hasExplicitConfig(
       return interfaceConfig?.fileCitations !== undefined;
     case PermissionTypes.MCP_SERVERS:
       return interfaceConfig?.mcpServers !== undefined;
+    case PermissionTypes.REMOTE_AGENTS:
+      return interfaceConfig?.remoteAgents !== undefined;
     default:
       return false;
   }
@@ -101,7 +103,9 @@ export async function updateInterfacePermissions({
     const defaultPerms = roleDefaults[roleName]?.permissions;
 
     const existingRole = await getRoleByName(roleName);
-    const existingPermissions = existingRole?.permissions;
+    const existingPermissions = existingRole?.permissions as
+      | Partial<Record<PermissionTypes, Record<string, boolean | undefined>>>
+      | undefined;
     const permissionsToUpdate: Partial<
       Record<PermissionTypes, Record<string, boolean | undefined>>
     > = {};
@@ -335,6 +339,28 @@ export async function updateInterfacePermissions({
           defaults.mcpServers?.public,
         ),
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: getPermissionValue(
+          loadedInterface.remoteAgents?.use,
+          defaultPerms[PermissionTypes.REMOTE_AGENTS]?.[Permissions.USE],
+          defaults.remoteAgents?.use,
+        ),
+        [Permissions.CREATE]: getPermissionValue(
+          loadedInterface.remoteAgents?.create,
+          defaultPerms[PermissionTypes.REMOTE_AGENTS]?.[Permissions.CREATE],
+          defaults.remoteAgents?.create,
+        ),
+        [Permissions.SHARE]: getPermissionValue(
+          loadedInterface.remoteAgents?.share,
+          defaultPerms[PermissionTypes.REMOTE_AGENTS]?.[Permissions.SHARE],
+          defaults.remoteAgents?.share,
+        ),
+        [Permissions.SHARE_PUBLIC]: getPermissionValue(
+          loadedInterface.remoteAgents?.public,
+          defaultPerms[PermissionTypes.REMOTE_AGENTS]?.[Permissions.SHARE_PUBLIC],
+          defaults.remoteAgents?.public,
+        ),
+      },
     };
 
     // Check and add each permission type if needed
diff --git a/packages/api/src/auth/exchange.ts b/packages/api/src/auth/exchange.ts
new file mode 100644
index 000000000000..c91997452367
--- /dev/null
+++ b/packages/api/src/auth/exchange.ts
@@ -0,0 +1,157 @@
+import crypto from 'crypto';
+import { Keyv } from 'keyv';
+import { logger } from '@librechat/data-schemas';
+import type { IUser } from '@librechat/data-schemas';
+
+/** Default admin panel URL for local development */
+const DEFAULT_ADMIN_PANEL_URL = 'http://localhost:3000';
+
+/**
+ * Gets the admin panel URL from environment or falls back to default.
+ * @returns The admin panel URL
+ */
+export function getAdminPanelUrl(): string {
+  return process.env.ADMIN_PANEL_URL || DEFAULT_ADMIN_PANEL_URL;
+}
+
+/**
+ * User data stored in the exchange cache
+ */
+export interface AdminExchangeUser {
+  _id: string;
+  id: string;
+  email: string;
+  name: string;
+  username: string;
+  role: string;
+  avatar?: string;
+  provider?: string;
+  openidId?: string;
+}
+
+/**
+ * Data stored in cache for admin OAuth exchange
+ */
+export interface AdminExchangeData {
+  userId: string;
+  user: AdminExchangeUser;
+  token: string;
+  refreshToken?: string;
+}
+
+/**
+ * Response from the exchange endpoint
+ */
+export interface AdminExchangeResponse {
+  token: string;
+  refreshToken?: string;
+  user: AdminExchangeUser;
+}
+
+/**
+ * Serializes user data for the exchange cache.
+ * @param user - The authenticated user object
+ * @returns Serialized user data for admin panel
+ */
+export function serializeUserForExchange(user: IUser): AdminExchangeUser {
+  const userId = String(user._id);
+  return {
+    _id: userId,
+    id: userId,
+    email: user.email,
+    name: user.name ?? '',
+    username: user.username ?? '',
+    role: user.role ?? 'USER',
+    avatar: user.avatar,
+    provider: user.provider,
+    openidId: user.openidId,
+  };
+}
+
+/**
+ * Generates an exchange code and stores user data for admin panel OAuth flow.
+ * @param cache - The Keyv cache instance for storing exchange data
+ * @param user - The authenticated user object
+ * @param token - The JWT access token
+ * @param refreshToken - Optional refresh token for OpenID users
+ * @returns The generated exchange code
+ */
+export async function generateAdminExchangeCode(
+  cache: Keyv,
+  user: IUser,
+  token: string,
+  refreshToken?: string,
+): Promise<string> {
+  const exchangeCode = crypto.randomBytes(32).toString('hex');
+
+  const data: AdminExchangeData = {
+    userId: String(user._id),
+    user: serializeUserForExchange(user),
+    token,
+    refreshToken,
+  };
+
+  await cache.set(exchangeCode, data);
+
+  logger.info(`[adminExchange] Generated exchange code for user: ${user.email}`);
+
+  return exchangeCode;
+}
+
+/**
+ * Exchanges an authorization code for tokens and user data.
+ * The code is deleted immediately after retrieval (one-time use).
+ * @param cache - The Keyv cache instance for retrieving exchange data
+ * @param code - The authorization code to exchange
+ * @returns The exchange response with token, refreshToken, and user data, or null if invalid/expired
+ */
+export async function exchangeAdminCode(
+  cache: Keyv,
+  code: string,
+): Promise<AdminExchangeResponse | null> {
+  const data = (await cache.get(code)) as AdminExchangeData | undefined;
+
+  /** Delete immediately - one-time use */
+  await cache.delete(code);
+
+  if (!data) {
+    logger.warn('[adminExchange] Invalid or expired authorization code');
+    return null;
+  }
+
+  logger.info(`[adminExchange] Exchanged code for user: ${data.user?.email}`);
+
+  return {
+    token: data.token,
+    refreshToken: data.refreshToken,
+    user: data.user,
+  };
+}
+
+/**
+ * Checks if the redirect URI is for the admin panel (cross-origin).
+ * Uses proper URL parsing to compare origins, handling edge cases where
+ * both URLs might share the same prefix (e.g., localhost:3000 vs localhost:3001).
+ *
+ * @param redirectUri - The redirect URI to check.
+ * @param adminPanelUrl - The admin panel URL (defaults to ADMIN_PANEL_URL env var)
+ * @param domainClient - The main client domain
+ * @returns True if redirecting to admin panel (different origin from main client).
+ */
+export function isAdminPanelRedirect(
+  redirectUri: string,
+  adminPanelUrl: string,
+  domainClient: string,
+): boolean {
+  try {
+    const redirectOrigin = new URL(redirectUri).origin;
+    const adminOrigin = new URL(adminPanelUrl).origin;
+    const clientOrigin = new URL(domainClient).origin;
+
+    /** Redirect is for admin panel if it matches admin origin but not main client origin */
+    return redirectOrigin === adminOrigin && redirectOrigin !== clientOrigin;
+  } catch {
+    /** If URL parsing fails, fall back to simple string comparison */
+    return redirectUri.startsWith(adminPanelUrl) && !redirectUri.startsWith(domainClient);
+  }
+}
diff --git a/packages/api/src/auth/index.ts b/packages/api/src/auth/index.ts
index bee8cf169134..d15d94aad2e9 100644
--- a/packages/api/src/auth/index.ts
+++ b/packages/api/src/auth/index.ts
@@ -1,2 +1,3 @@
 export * from './domain';
 export * from './openid';
+export * from './exchange';
diff --git a/packages/api/src/endpoints/bedrock/initialize.spec.ts b/packages/api/src/endpoints/bedrock/initialize.spec.ts
index 9b0ba152d7f2..8b60b7643413 100644
--- a/packages/api/src/endpoints/bedrock/initialize.spec.ts
+++ b/packages/api/src/endpoints/bedrock/initialize.spec.ts
@@ -313,4 +313,304 @@ describe('initializeBedrock', () => {
       expect(typeof result.configOptions).toBe('object');
     });
   });
+
+  describe('Inference Profile Configuration', () => {
+    it('should set applicationInferenceProfile when model has matching inference profile config', async () => {
+      const inferenceProfileArn =
+        'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/abc123';
+
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-3-7-sonnet-20250219-v1:0': inferenceProfileArn,
+              },
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).toHaveProperty('applicationInferenceProfile', inferenceProfileArn);
+    });
+
+    it('should NOT set applicationInferenceProfile when model has no matching config', async () => {
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-sonnet-4-5-20250929-v1:0':
+                  'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/xyz789',
+              },
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0', // Different model
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).not.toHaveProperty('applicationInferenceProfile');
+    });
+
+    it('should resolve environment variable in inference profile ARN', async () => {
+      const inferenceProfileArn =
+        'arn:aws:bedrock:us-east-1:951834775723:application-inference-profile/yjr1elcyt29s';
+      process.env.BEDROCK_INFERENCE_PROFILE_ARN = inferenceProfileArn;
+
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-3-7-sonnet-20250219-v1:0': '${BEDROCK_INFERENCE_PROFILE_ARN}',
+              },
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).toHaveProperty('applicationInferenceProfile', inferenceProfileArn);
+    });
+
+    it('should use direct ARN when no env variable syntax is used', async () => {
+      const directArn =
+        'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/direct123';
+
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-3-7-sonnet-20250219-v1:0': directArn,
+              },
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).toHaveProperty('applicationInferenceProfile', directArn);
+    });
+
+    it('should fall back to original string when env variable is not set', async () => {
+      // Ensure the env var is not set
+      delete process.env.NONEXISTENT_PROFILE_ARN;
+
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-3-7-sonnet-20250219-v1:0': '${NONEXISTENT_PROFILE_ARN}',
+              },
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      // Should return the original ${VAR} string when env var doesn't exist
+      expect(result.llmConfig).toHaveProperty(
+        'applicationInferenceProfile',
+        '${NONEXISTENT_PROFILE_ARN}',
+      );
+    });
+
+    it('should resolve multiple different env variables for different models', async () => {
+      const claude37Arn =
+        'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/claude37';
+      const sonnet45Arn =
+        'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/sonnet45';
+
+      process.env.CLAUDE_37_PROFILE = claude37Arn;
+      process.env.SONNET_45_PROFILE = sonnet45Arn;
+
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-3-7-sonnet-20250219-v1:0': '${CLAUDE_37_PROFILE}',
+                'us.anthropic.claude-sonnet-4-5-20250929-v1:0': '${SONNET_45_PROFILE}',
+              },
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).toHaveProperty('applicationInferenceProfile', claude37Arn);
+    });
+
+    it('should handle env variable with whitespace around it', async () => {
+      const inferenceProfileArn =
+        'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/trimmed';
+      process.env.TRIMMED_PROFILE_ARN = inferenceProfileArn;
+
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-3-7-sonnet-20250219-v1:0': '  ${TRIMMED_PROFILE_ARN}  ',
+              },
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).toHaveProperty('applicationInferenceProfile', inferenceProfileArn);
+    });
+
+    it('should NOT set applicationInferenceProfile when inferenceProfiles config is empty', async () => {
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {},
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).not.toHaveProperty('applicationInferenceProfile');
+    });
+
+    it('should NOT set applicationInferenceProfile when no bedrock config exists', async () => {
+      const params = createMockParams({
+        config: {},
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).not.toHaveProperty('applicationInferenceProfile');
+    });
+
+    it('should handle multiple inference profiles and select the correct one', async () => {
+      const sonnet45Arn =
+        'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/sonnet45';
+      const claude37Arn =
+        'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/claude37';
+
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-sonnet-4-5-20250929-v1:0': sonnet45Arn,
+                'us.anthropic.claude-3-7-sonnet-20250219-v1:0': claude37Arn,
+                'global.anthropic.claude-opus-4-5-20251101-v1:0':
+                  'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/opus45',
+              },
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).toHaveProperty('applicationInferenceProfile', claude37Arn);
+    });
+
+    it('should work alongside guardrailConfig', async () => {
+      const inferenceProfileArn =
+        'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/abc123';
+      const guardrailConfig = {
+        guardrailIdentifier: 'test-guardrail',
+        guardrailVersion: '1',
+      };
+
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-3-7-sonnet-20250219-v1:0': inferenceProfileArn,
+              },
+              guardrailConfig,
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      expect(result.llmConfig).toHaveProperty('applicationInferenceProfile', inferenceProfileArn);
+      expect(result.llmConfig).toHaveProperty('guardrailConfig', guardrailConfig);
+    });
+
+    it('should preserve the original model ID in llmConfig.model', async () => {
+      const inferenceProfileArn =
+        'arn:aws:bedrock:us-east-1:123456789012:application-inference-profile/abc123';
+
+      const params = createMockParams({
+        config: {
+          endpoints: {
+            [EModelEndpoint.bedrock]: {
+              inferenceProfiles: {
+                'us.anthropic.claude-3-7-sonnet-20250219-v1:0': inferenceProfileArn,
+              },
+            },
+          },
+        },
+        model_parameters: {
+          model: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+        },
+      });
+
+      const result = (await initializeBedrock(params)) as BedrockLLMConfigResult;
+
+      // Model ID should remain unchanged - only applicationInferenceProfile should be set
+      expect(result.llmConfig).toHaveProperty(
+        'model',
+        'us.anthropic.claude-3-7-sonnet-20250219-v1:0',
+      );
+      expect(result.llmConfig).toHaveProperty('applicationInferenceProfile', inferenceProfileArn);
+    });
+  });
 });
diff --git a/packages/api/src/endpoints/bedrock/initialize.ts b/packages/api/src/endpoints/bedrock/initialize.ts
index 9f5db47bf72c..f3ba459ba582 100644
--- a/packages/api/src/endpoints/bedrock/initialize.ts
+++ b/packages/api/src/endpoints/bedrock/initialize.ts
@@ -4,6 +4,7 @@ import { BedrockRuntimeClient } from '@aws-sdk/client-bedrock-runtime';
 import {
   AuthType,
   EModelEndpoint,
+  extractEnvVariable,
   bedrockInputParser,
   bedrockOutputParser,
   removeNullishValues,
@@ -13,6 +14,7 @@ import type {
   InitializeResultBase,
   BedrockCredentials,
   GuardrailConfiguration,
+  InferenceProfileConfig,
 } from '~/types';
 import { checkUserKeyExpiry } from '~/utils';
 
@@ -49,7 +51,10 @@ export async function initializeBedrock({
   void endpoint;
   const appConfig = req.config;
   const bedrockConfig = appConfig?.endpoints?.[EModelEndpoint.bedrock] as
-    | ({ guardrailConfig?: GuardrailConfiguration } & Record<string, unknown>)
+    | ({
+        guardrailConfig?: GuardrailConfiguration;
+        inferenceProfiles?: InferenceProfileConfig;
+      } & Record<string, unknown>)
     | undefined;
 
   const {
@@ -105,17 +110,25 @@ export async function initializeBedrock({
       }),
     ),
   ) as InitializeResultBase['llmConfig'] & {
+    model?: string;
     region?: string;
     client?: BedrockRuntimeClient;
     credentials?: BedrockCredentials;
     endpointHost?: string;
     guardrailConfig?: GuardrailConfiguration;
+    applicationInferenceProfile?: string;
   };
 
   if (bedrockConfig?.guardrailConfig) {
     llmConfig.guardrailConfig = bedrockConfig.guardrailConfig;
   }
 
+  const model = model_parameters?.model as string | undefined;
+  if (model && bedrockConfig?.inferenceProfiles?.[model]) {
+    const applicationInferenceProfile = extractEnvVariable(bedrockConfig.inferenceProfiles[model]);
+    llmConfig.applicationInferenceProfile = applicationInferenceProfile;
+  }
+
   /** Only include credentials if they're complete (accessKeyId and secretAccessKey are both set) */
   const hasCompleteCredentials =
     credentials &&
diff --git a/packages/api/src/index.ts b/packages/api/src/index.ts
index 492b59f23279..fefdafaefdde 100644
--- a/packages/api/src/index.ts
+++ b/packages/api/src/index.ts
@@ -2,6 +2,8 @@ export * from './app';
 export * from './cdn';
 /* Auth */
 export * from './auth';
+/* API Keys */
+export * from './apiKeys';
 /* MCP */
 export * from './mcp/registry/MCPServersRegistry';
 export * from './mcp/MCPManager';
diff --git a/packages/api/src/mcp/MCPManager.ts b/packages/api/src/mcp/MCPManager.ts
index fbd5bd050dfc..0b9dce70610a 100644
--- a/packages/api/src/mcp/MCPManager.ts
+++ b/packages/api/src/mcp/MCPManager.ts
@@ -3,6 +3,7 @@ import { logger } from '@librechat/data-schemas';
 import { CallToolResultSchema, ErrorCode, McpError } from '@modelcontextprotocol/sdk/types.js';
 import type { RequestOptions } from '@modelcontextprotocol/sdk/shared/protocol.js';
 import type { TokenMethods, IUser } from '@librechat/data-schemas';
+import type { GraphTokenResolver } from '~/utils/graph';
 import type { FlowStateManager } from '~/flow/manager';
 import type { MCPOAuthTokens } from './oauth';
 import type { RequestBody } from '~/types';
@@ -12,6 +13,7 @@ import { ConnectionsRepository } from './ConnectionsRepository';
 import { MCPServerInspector } from './registry/MCPServerInspector';
 import { MCPServersInitializer } from './registry/MCPServersInitializer';
 import { MCPServersRegistry } from './registry/MCPServersRegistry';
+import { preProcessGraphTokens } from '~/utils/graph';
 import { formatToolContent } from './parsers';
 import { MCPConnection } from './connection';
 import { processMCPEnv } from '~/utils/env';
@@ -160,6 +162,10 @@ Please follow these instructions when using tools from the respective MCP server
    * Calls a tool on an MCP server, using either a user-specific connection
    * (if userId is provided) or an app-level connection. Updates the last activity timestamp
    * for user-specific connections upon successful call initiation.
+   *
+   * @param graphTokenResolver - Optional function to resolve Graph API tokens via OBO flow.
+   *   When provided and the server config contains `{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}` placeholders,
+   *   they will be resolved to actual Graph API tokens before the tool call.
    */
   async callTool({
     user,
@@ -174,6 +180,7 @@ Please follow these instructions when using tools from the respective MCP server
     oauthStart,
     oauthEnd,
     customUserVars,
+    graphTokenResolver,
   }: {
     user?: IUser;
     serverName: string;
@@ -187,6 +194,7 @@ Please follow these instructions when using tools from the respective MCP server
     flowManager: FlowStateManager<MCPOAuthTokens | null>;
     oauthStart?: (authURL: string) => Promise<void>;
     oauthEnd?: () => Promise<void>;
+    graphTokenResolver?: GraphTokenResolver;
   }): Promise<t.FormattedToolResponse> {
     /** User-specific connection */
     let connection: MCPConnection | undefined;
@@ -220,9 +228,16 @@ Please follow these instructions when using tools from the respective MCP server
         serverName,
         userId,
       )) as t.MCPOptions;
+
+      // Pre-process Graph token placeholders (async) before sync processMCPEnv
+      const graphProcessedConfig = await preProcessGraphTokens(rawConfig, {
+        user,
+        graphTokenResolver,
+        scopes: process.env.GRAPH_API_SCOPES,
+      });
       const currentOptions = processMCPEnv({
         user,
-        options: rawConfig,
+        options: graphProcessedConfig,
         customUserVars: customUserVars,
         body: requestBody,
       });
diff --git a/packages/api/src/mcp/__tests__/MCPManager.test.ts b/packages/api/src/mcp/__tests__/MCPManager.test.ts
index e75cd09b33d3..f210fcb63a7a 100644
--- a/packages/api/src/mcp/__tests__/MCPManager.test.ts
+++ b/packages/api/src/mcp/__tests__/MCPManager.test.ts
@@ -1,10 +1,13 @@
 import { logger } from '@librechat/data-schemas';
+import type { IUser } from '@librechat/data-schemas';
+import type { GraphTokenResolver } from '~/utils/graph';
 import type * as t from '~/mcp/types';
-import { MCPManager } from '~/mcp/MCPManager';
 import { MCPServersInitializer } from '~/mcp/registry/MCPServersInitializer';
 import { MCPServerInspector } from '~/mcp/registry/MCPServerInspector';
 import { ConnectionsRepository } from '~/mcp/ConnectionsRepository';
-import { MCPConnection } from '../connection';
+import { MCPConnection } from '~/mcp/connection';
+import { MCPManager } from '~/mcp/MCPManager';
+import * as graphUtils from '~/utils/graph';
 
 // Mock external dependencies
 jest.mock('@librechat/data-schemas', () => ({
@@ -16,6 +19,15 @@ jest.mock('@librechat/data-schemas', () => ({
   },
 }));
 
+jest.mock('~/utils/graph', () => ({
+  ...jest.requireActual('~/utils/graph'),
+  preProcessGraphTokens: jest.fn(),
+}));
+
+jest.mock('~/utils/env', () => ({
+  processMCPEnv: jest.fn((params) => params.options),
+}));
+
 const mockRegistryInstance = {
   getServerConfig: jest.fn(),
   getAllServerConfigs: jest.fn(),
@@ -389,4 +401,390 @@ describe('MCPManager', () => {
       );
     });
   });
+
+  describe('callTool - Graph Token Integration', () => {
+    const mockUser: Partial<IUser> = {
+      id: 'user-123',
+      provider: 'openid',
+      openidId: 'oidc-sub-456',
+    };
+
+    const mockFlowManager = {
+      getState: jest.fn(),
+      setState: jest.fn(),
+      clearState: jest.fn(),
+    };
+
+    const mockConnection = {
+      isConnected: jest.fn().mockResolvedValue(true),
+      setRequestHeaders: jest.fn(),
+      timeout: 30000,
+      client: {
+        request: jest.fn().mockResolvedValue({
+          content: [{ type: 'text', text: 'Tool result' }],
+          isError: false,
+        }),
+      },
+    } as unknown as MCPConnection;
+
+    const mockGraphTokenResolver: GraphTokenResolver = jest.fn().mockResolvedValue({
+      access_token: 'resolved-graph-token',
+      token_type: 'Bearer',
+      expires_in: 3600,
+      scope: 'https://graph.microsoft.com/.default',
+    });
+
+    function createServerConfigWithGraphPlaceholder(): t.SSEOptions {
+      return {
+        type: 'sse',
+        url: 'https://api.example.com',
+        headers: {
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+          'Content-Type': 'application/json',
+        },
+      };
+    }
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+
+      // Mock preProcessGraphTokens to simulate token resolution
+      (graphUtils.preProcessGraphTokens as jest.Mock).mockImplementation(
+        async (options, graphOptions) => {
+          if (
+            options.headers?.Authorization?.includes('{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}') &&
+            graphOptions.graphTokenResolver
+          ) {
+            return {
+              ...options,
+              headers: {
+                ...options.headers,
+                Authorization: 'Bearer resolved-graph-token',
+              },
+            };
+          }
+          return options;
+        },
+      );
+    });
+
+    it('should call preProcessGraphTokens with graphTokenResolver when provided', async () => {
+      const serverConfig = createServerConfigWithGraphPlaceholder();
+
+      mockAppConnections({
+        get: jest.fn().mockResolvedValue(mockConnection),
+      });
+
+      (mockRegistryInstance.getServerConfig as jest.Mock).mockResolvedValue(serverConfig);
+
+      const manager = await MCPManager.createInstance(newMCPServersConfig());
+
+      await manager.callTool({
+        user: mockUser as IUser,
+        serverName,
+        toolName: 'test_tool',
+        provider: 'openai',
+        flowManager: mockFlowManager as unknown as Parameters<
+          typeof manager.callTool
+        >[0]['flowManager'],
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      expect(graphUtils.preProcessGraphTokens).toHaveBeenCalledWith(
+        serverConfig,
+        expect.objectContaining({
+          user: mockUser,
+          graphTokenResolver: mockGraphTokenResolver,
+        }),
+      );
+    });
+
+    it('should resolve graph token placeholders in headers before tool call', async () => {
+      const serverConfig = createServerConfigWithGraphPlaceholder();
+
+      mockAppConnections({
+        get: jest.fn().mockResolvedValue(mockConnection),
+      });
+
+      (mockRegistryInstance.getServerConfig as jest.Mock).mockResolvedValue(serverConfig);
+
+      const manager = await MCPManager.createInstance(newMCPServersConfig());
+
+      await manager.callTool({
+        user: mockUser as IUser,
+        serverName,
+        toolName: 'test_tool',
+        provider: 'openai',
+        flowManager: mockFlowManager as unknown as Parameters<
+          typeof manager.callTool
+        >[0]['flowManager'],
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      // Verify the connection received the resolved headers
+      expect(mockConnection.setRequestHeaders).toHaveBeenCalledWith(
+        expect.objectContaining({
+          Authorization: 'Bearer resolved-graph-token',
+        }),
+      );
+    });
+
+    it('should pass options unchanged when no graphTokenResolver is provided', async () => {
+      const serverConfig: t.SSEOptions = {
+        type: 'sse',
+        url: 'https://api.example.com',
+        headers: {
+          Authorization: 'Bearer static-token',
+        },
+      };
+
+      // Reset mock to return options unchanged
+      (graphUtils.preProcessGraphTokens as jest.Mock).mockImplementation(
+        async (options) => options,
+      );
+
+      mockAppConnections({
+        get: jest.fn().mockResolvedValue(mockConnection),
+      });
+
+      (mockRegistryInstance.getServerConfig as jest.Mock).mockResolvedValue(serverConfig);
+
+      const manager = await MCPManager.createInstance(newMCPServersConfig());
+
+      await manager.callTool({
+        user: mockUser as IUser,
+        serverName,
+        toolName: 'test_tool',
+        provider: 'openai',
+        flowManager: mockFlowManager as unknown as Parameters<
+          typeof manager.callTool
+        >[0]['flowManager'],
+        // No graphTokenResolver provided
+      });
+
+      // Verify preProcessGraphTokens was still called (to check for placeholders)
+      expect(graphUtils.preProcessGraphTokens).toHaveBeenCalledWith(
+        serverConfig,
+        expect.objectContaining({
+          user: mockUser,
+          graphTokenResolver: undefined,
+        }),
+      );
+    });
+
+    it('should handle graph token resolution failure gracefully', async () => {
+      const serverConfig = createServerConfigWithGraphPlaceholder();
+
+      // Simulate resolution failure - returns original value unchanged
+      (graphUtils.preProcessGraphTokens as jest.Mock).mockImplementation(
+        async (options) => options,
+      );
+
+      mockAppConnections({
+        get: jest.fn().mockResolvedValue(mockConnection),
+      });
+
+      (mockRegistryInstance.getServerConfig as jest.Mock).mockResolvedValue(serverConfig);
+
+      const manager = await MCPManager.createInstance(newMCPServersConfig());
+
+      // Should not throw, even when token resolution fails
+      await expect(
+        manager.callTool({
+          user: mockUser as IUser,
+          serverName,
+          toolName: 'test_tool',
+          provider: 'openai',
+          flowManager: mockFlowManager as unknown as Parameters<
+            typeof manager.callTool
+          >[0]['flowManager'],
+          graphTokenResolver: mockGraphTokenResolver,
+        }),
+      ).resolves.toBeDefined();
+
+      // Headers should contain the unresolved placeholder
+      expect(mockConnection.setRequestHeaders).toHaveBeenCalledWith(
+        expect.objectContaining({
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        }),
+      );
+    });
+
+    it('should resolve graph tokens in env variables', async () => {
+      const serverConfig: t.StdioOptions = {
+        type: 'stdio',
+        command: 'node',
+        args: ['server.js'],
+        env: {
+          GRAPH_TOKEN: '{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+          OTHER_VAR: 'static-value',
+        },
+      };
+
+      // Mock resolution for env variables
+      (graphUtils.preProcessGraphTokens as jest.Mock).mockImplementation(async (options) => {
+        if (options.env?.GRAPH_TOKEN?.includes('{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}')) {
+          return {
+            ...options,
+            env: {
+              ...options.env,
+              GRAPH_TOKEN: 'resolved-graph-token',
+            },
+          };
+        }
+        return options;
+      });
+
+      mockAppConnections({
+        get: jest.fn().mockResolvedValue(mockConnection),
+      });
+
+      (mockRegistryInstance.getServerConfig as jest.Mock).mockResolvedValue(serverConfig);
+
+      const manager = await MCPManager.createInstance(newMCPServersConfig());
+
+      await manager.callTool({
+        user: mockUser as IUser,
+        serverName,
+        toolName: 'test_tool',
+        provider: 'openai',
+        flowManager: mockFlowManager as unknown as Parameters<
+          typeof manager.callTool
+        >[0]['flowManager'],
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      expect(graphUtils.preProcessGraphTokens).toHaveBeenCalledWith(
+        serverConfig,
+        expect.objectContaining({
+          graphTokenResolver: mockGraphTokenResolver,
+        }),
+      );
+    });
+
+    it('should resolve graph tokens in URL', async () => {
+      const serverConfig: t.SSEOptions = {
+        type: 'sse',
+        url: 'https://api.example.com?token={{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+      };
+
+      // Mock resolution for URL
+      (graphUtils.preProcessGraphTokens as jest.Mock).mockImplementation(async (options) => {
+        if (options.url?.includes('{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}')) {
+          return {
+            ...options,
+            url: 'https://api.example.com?token=resolved-graph-token',
+          };
+        }
+        return options;
+      });
+
+      mockAppConnections({
+        get: jest.fn().mockResolvedValue(mockConnection),
+      });
+
+      (mockRegistryInstance.getServerConfig as jest.Mock).mockResolvedValue(serverConfig);
+
+      const manager = await MCPManager.createInstance(newMCPServersConfig());
+
+      await manager.callTool({
+        user: mockUser as IUser,
+        serverName,
+        toolName: 'test_tool',
+        provider: 'openai',
+        flowManager: mockFlowManager as unknown as Parameters<
+          typeof manager.callTool
+        >[0]['flowManager'],
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      expect(graphUtils.preProcessGraphTokens).toHaveBeenCalledWith(
+        serverConfig,
+        expect.objectContaining({
+          graphTokenResolver: mockGraphTokenResolver,
+        }),
+      );
+    });
+
+    it('should pass scopes from environment variable to preProcessGraphTokens', async () => {
+      const originalEnv = process.env.GRAPH_API_SCOPES;
+      process.env.GRAPH_API_SCOPES = 'custom.scope.read custom.scope.write';
+
+      const serverConfig = createServerConfigWithGraphPlaceholder();
+
+      mockAppConnections({
+        get: jest.fn().mockResolvedValue(mockConnection),
+      });
+
+      (mockRegistryInstance.getServerConfig as jest.Mock).mockResolvedValue(serverConfig);
+
+      const manager = await MCPManager.createInstance(newMCPServersConfig());
+
+      await manager.callTool({
+        user: mockUser as IUser,
+        serverName,
+        toolName: 'test_tool',
+        provider: 'openai',
+        flowManager: mockFlowManager as unknown as Parameters<
+          typeof manager.callTool
+        >[0]['flowManager'],
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      expect(graphUtils.preProcessGraphTokens).toHaveBeenCalledWith(
+        serverConfig,
+        expect.objectContaining({
+          scopes: 'custom.scope.read custom.scope.write',
+        }),
+      );
+
+      // Restore environment
+      if (originalEnv !== undefined) {
+        process.env.GRAPH_API_SCOPES = originalEnv;
+      } else {
+        delete process.env.GRAPH_API_SCOPES;
+      }
+    });
+
+    it('should work correctly when config has no graph token placeholders', async () => {
+      const serverConfig: t.SSEOptions = {
+        type: 'sse',
+        url: 'https://api.example.com',
+        headers: {
+          Authorization: 'Bearer static-token',
+        },
+      };
+
+      // Mock to return unchanged options when no placeholders
+      (graphUtils.preProcessGraphTokens as jest.Mock).mockImplementation(
+        async (options) => options,
+      );
+
+      mockAppConnections({
+        get: jest.fn().mockResolvedValue(mockConnection),
+      });
+
+      (mockRegistryInstance.getServerConfig as jest.Mock).mockResolvedValue(serverConfig);
+
+      const manager = await MCPManager.createInstance(newMCPServersConfig());
+
+      const result = await manager.callTool({
+        user: mockUser as IUser,
+        serverName,
+        toolName: 'test_tool',
+        provider: 'openai',
+        flowManager: mockFlowManager as unknown as Parameters<
+          typeof manager.callTool
+        >[0]['flowManager'],
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      expect(result).toBeDefined();
+      expect(mockConnection.setRequestHeaders).toHaveBeenCalledWith(
+        expect.objectContaining({
+          Authorization: 'Bearer static-token',
+        }),
+      );
+    });
+  });
 });
diff --git a/packages/api/src/mcp/__tests__/mcp.spec.ts b/packages/api/src/mcp/__tests__/mcp.spec.ts
index f33db2f5c169..d64f9f3afaba 100644
--- a/packages/api/src/mcp/__tests__/mcp.spec.ts
+++ b/packages/api/src/mcp/__tests__/mcp.spec.ts
@@ -4,12 +4,23 @@ import {
   StreamableHTTPOptionsSchema,
 } from 'librechat-data-provider';
 import type { TUser } from 'librechat-data-provider';
+import type { IUser } from '@librechat/data-schemas';
+import type { GraphTokenResolver } from '~/utils/graph';
+import { preProcessGraphTokens } from '~/utils/graph';
 import { processMCPEnv } from '~/utils/env';
+import * as oidcUtils from '~/utils/oidc';
+
+// Mock oidc utilities for graph token tests
+jest.mock('~/utils/oidc', () => ({
+  ...jest.requireActual('~/utils/oidc'),
+  extractOpenIDTokenInfo: jest.fn(),
+  isOpenIDTokenValid: jest.fn(),
+}));
 
 // Helper function to create test user objects
 function createTestUser(
   overrides: Partial<TUser> & Record<string, unknown> = {},
-): TUser & Record<string, unknown> {
+): Omit<TUser, 'createdAt' | 'updatedAt'> | undefined {
   return {
     id: 'test-user-id',
     username: 'testuser',
@@ -18,8 +29,6 @@ function createTestUser(
     avatar: 'https://example.com/avatar.png',
     provider: 'email',
     role: 'user',
-    createdAt: new Date('2021-01-01').toISOString(),
-    updatedAt: new Date('2021-01-01').toISOString(),
     ...overrides,
   };
 }
@@ -858,5 +867,270 @@ describe('Environment Variable Extraction (MCP)', () => {
         'Content-Type': 'application/json',
       });
     });
+
+    it('should leave {{LIBRECHAT_GRAPH_ACCESS_TOKEN}} unchanged (resolved by preProcessGraphTokens)', () => {
+      const user = createTestUser({ id: 'user-123' });
+      const options: MCPOptions = {
+        type: 'sse',
+        url: 'https://example.com',
+        headers: {
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+          'X-User-Id': '{{LIBRECHAT_USER_ID}}',
+        },
+      };
+
+      const result = processMCPEnv({ options, user });
+
+      expect('headers' in result && result.headers).toEqual({
+        // Graph token placeholder remains - it should be resolved by preProcessGraphTokens before processMCPEnv
+        Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        // User ID is resolved by processMCPEnv
+        'X-User-Id': 'user-123',
+      });
+    });
+  });
+
+  describe('preProcessGraphTokens and processMCPEnv working in tandem', () => {
+    const mockExtractOpenIDTokenInfo = oidcUtils.extractOpenIDTokenInfo as jest.Mock;
+    const mockIsOpenIDTokenValid = oidcUtils.isOpenIDTokenValid as jest.Mock;
+
+    const mockGraphTokenResolver: GraphTokenResolver = jest.fn().mockResolvedValue({
+      access_token: 'resolved-graph-api-token',
+      token_type: 'Bearer',
+      expires_in: 3600,
+      scope: 'https://graph.microsoft.com/.default',
+    });
+
+    beforeEach(() => {
+      // Set up mocks to simulate valid OpenID token
+      mockExtractOpenIDTokenInfo.mockReturnValue({ accessToken: 'test-access-token' });
+      mockIsOpenIDTokenValid.mockReturnValue(true);
+      (mockGraphTokenResolver as jest.Mock).mockClear();
+    });
+
+    afterEach(() => {
+      jest.clearAllMocks();
+    });
+
+    it('should resolve both graph tokens and user placeholders in sequence', async () => {
+      const user = createTestUser({
+        id: 'user-123',
+        email: 'test@example.com',
+        provider: 'openid',
+        openidId: 'oidc-sub-456',
+      }) as unknown as IUser;
+
+      const options: MCPOptions = {
+        type: 'sse',
+        url: 'https://graph.microsoft.com/v1.0/me',
+        headers: {
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+          'X-User-Id': '{{LIBRECHAT_USER_ID}}',
+          'X-User-Email': '{{LIBRECHAT_USER_EMAIL}}',
+          'Content-Type': 'application/json',
+        },
+      };
+
+      // Step 1: preProcessGraphTokens resolves graph token placeholders (async)
+      const graphProcessedConfig = await preProcessGraphTokens(options, {
+        user,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      // Step 2: processMCPEnv resolves user and env placeholders (sync)
+      const finalConfig = processMCPEnv({
+        options: graphProcessedConfig,
+        user,
+      });
+
+      expect('headers' in finalConfig && finalConfig.headers).toEqual({
+        Authorization: 'Bearer resolved-graph-api-token',
+        'X-User-Id': 'user-123',
+        'X-User-Email': 'test@example.com',
+        'Content-Type': 'application/json',
+      });
+    });
+
+    it('should resolve graph tokens in env and user placeholders in headers', async () => {
+      const user = createTestUser({
+        id: 'user-456',
+        username: 'johndoe',
+        provider: 'openid',
+      }) as unknown as IUser;
+
+      const options: MCPOptions = {
+        command: 'node',
+        args: ['mcp-server.js', '--user', '{{LIBRECHAT_USER_USERNAME}}'],
+        env: {
+          GRAPH_ACCESS_TOKEN: '{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+          USER_ID: '{{LIBRECHAT_USER_ID}}',
+          API_KEY: '${TEST_API_KEY}',
+        },
+      };
+
+      // Step 1: preProcessGraphTokens
+      const graphProcessedConfig = await preProcessGraphTokens(options, {
+        user,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      // Step 2: processMCPEnv
+      const finalConfig = processMCPEnv({
+        options: graphProcessedConfig,
+        user,
+      });
+
+      expect('env' in finalConfig && finalConfig.env).toEqual({
+        GRAPH_ACCESS_TOKEN: 'resolved-graph-api-token',
+        USER_ID: 'user-456',
+        API_KEY: 'test-api-key-value',
+      });
+
+      expect('args' in finalConfig && finalConfig.args).toEqual([
+        'mcp-server.js',
+        '--user',
+        'johndoe',
+      ]);
+    });
+
+    it('should resolve graph tokens in URL alongside other placeholders', async () => {
+      const user = createTestUser({
+        id: 'user-789',
+        provider: 'openid',
+      }) as unknown as IUser;
+
+      const customUserVars = {
+        TENANT_ID: 'my-tenant-123',
+      };
+
+      const options: MCPOptions = {
+        type: 'sse',
+        url: 'https://{{TENANT_ID}}.example.com/api?token={{LIBRECHAT_GRAPH_ACCESS_TOKEN}}&user={{LIBRECHAT_USER_ID}}',
+      };
+
+      // Step 1: preProcessGraphTokens
+      const graphProcessedConfig = await preProcessGraphTokens(options, {
+        user,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      // Step 2: processMCPEnv with customUserVars
+      const finalConfig = processMCPEnv({
+        options: graphProcessedConfig,
+        user,
+        customUserVars,
+      });
+
+      expect('url' in finalConfig && finalConfig.url).toBe(
+        'https://my-tenant-123.example.com/api?token=resolved-graph-api-token&user=user-789',
+      );
+    });
+
+    it('should handle config with no graph token placeholders (only user placeholders)', async () => {
+      const user = createTestUser({
+        id: 'user-abc',
+        email: 'user@company.com',
+      }) as unknown as IUser;
+
+      const options: MCPOptions = {
+        type: 'sse',
+        url: 'https://api.example.com',
+        headers: {
+          'X-User-Id': '{{LIBRECHAT_USER_ID}}',
+          'X-User-Email': '{{LIBRECHAT_USER_EMAIL}}',
+        },
+      };
+
+      // Step 1: preProcessGraphTokens (no-op since no graph placeholders)
+      const graphProcessedConfig = await preProcessGraphTokens(options, {
+        user,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      // Step 2: processMCPEnv
+      const finalConfig = processMCPEnv({
+        options: graphProcessedConfig,
+        user,
+      });
+
+      expect('headers' in finalConfig && finalConfig.headers).toEqual({
+        'X-User-Id': 'user-abc',
+        'X-User-Email': 'user@company.com',
+      });
+
+      // graphTokenResolver should not have been called
+      expect(mockGraphTokenResolver).not.toHaveBeenCalled();
+    });
+
+    it('should handle config with only graph token placeholders (no user placeholders)', async () => {
+      const user = createTestUser({
+        id: 'user-xyz',
+        provider: 'openid',
+      }) as unknown as IUser;
+
+      const options: MCPOptions = {
+        type: 'sse',
+        url: 'https://graph.microsoft.com/v1.0/me',
+        headers: {
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+          'Content-Type': 'application/json',
+        },
+      };
+
+      // Reset mock call count
+      (mockGraphTokenResolver as jest.Mock).mockClear();
+
+      // Step 1: preProcessGraphTokens
+      const graphProcessedConfig = await preProcessGraphTokens(options, {
+        user,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      // Step 2: processMCPEnv
+      const finalConfig = processMCPEnv({
+        options: graphProcessedConfig,
+        user,
+      });
+
+      expect('headers' in finalConfig && finalConfig.headers).toEqual({
+        Authorization: 'Bearer resolved-graph-api-token',
+        'Content-Type': 'application/json',
+      });
+    });
+
+    it('should not mutate original options through the tandem processing', async () => {
+      const user = createTestUser({
+        id: 'user-immutable',
+        provider: 'openid',
+      }) as unknown as IUser;
+
+      const originalOptions: MCPOptions = {
+        type: 'sse',
+        url: 'https://api.example.com',
+        headers: {
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+          'X-User-Id': '{{LIBRECHAT_USER_ID}}',
+        },
+      };
+
+      // Store original values
+      const originalAuth = originalOptions.headers?.Authorization;
+      const originalUserId = originalOptions.headers?.['X-User-Id'];
+
+      // Step 1 & 2: Process through both functions
+      const graphProcessedConfig = await preProcessGraphTokens(originalOptions, {
+        user,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+
+      processMCPEnv({
+        options: graphProcessedConfig,
+        user,
+      });
+
+      // Original should be unchanged
+      expect(originalOptions.headers?.Authorization).toBe(originalAuth);
+      expect(originalOptions.headers?.['X-User-Id']).toBe(originalUserId);
+    });
   });
 });
diff --git a/packages/api/src/mcp/types/index.ts b/packages/api/src/mcp/types/index.ts
index 63a0153cad47..3b0d31b83b62 100644
--- a/packages/api/src/mcp/types/index.ts
+++ b/packages/api/src/mcp/types/index.ts
@@ -17,7 +17,8 @@ import type {
   Tool,
 } from '@modelcontextprotocol/sdk/types.js';
 import type { SearchResultData, UIResource, TPlugin } from 'librechat-data-provider';
-import type { TokenMethods, JsonSchemaType, IUser } from '@librechat/data-schemas';
+import type { TokenMethods, IUser } from '@librechat/data-schemas';
+import type { LCTool } from '@librechat/agents';
 import type { FlowStateManager } from '~/flow/manager';
 import type { RequestBody } from '~/types/http';
 import type * as o from '~/mcp/oauth/types';
@@ -42,11 +43,6 @@ export interface MCPResource {
   description?: string;
   mimeType?: string;
 }
-export interface LCTool {
-  name: string;
-  description?: string;
-  parameters: JsonSchemaType;
-}
 
 export interface LCFunctionTool {
   type: 'function';
diff --git a/packages/api/src/middleware/admin.spec.ts b/packages/api/src/middleware/admin.spec.ts
new file mode 100644
index 000000000000..0074461cb441
--- /dev/null
+++ b/packages/api/src/middleware/admin.spec.ts
@@ -0,0 +1,140 @@
+import { logger } from '@librechat/data-schemas';
+import { SystemRoles } from 'librechat-data-provider';
+import { requireAdmin } from './admin';
+import type { Response } from 'express';
+import type { ServerRequest } from '~/types/http';
+
+jest.mock('@librechat/data-schemas', () => ({
+  ...jest.requireActual('@librechat/data-schemas'),
+  logger: {
+    warn: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+describe('requireAdmin middleware', () => {
+  let mockReq: Partial<ServerRequest>;
+  let mockRes: Partial<Response>;
+  let mockNext: jest.Mock;
+  let jsonMock: jest.Mock;
+  let statusMock: jest.Mock;
+
+  beforeEach(() => {
+    jsonMock = jest.fn();
+    statusMock = jest.fn().mockReturnValue({ json: jsonMock });
+
+    mockReq = {};
+    mockRes = {
+      status: statusMock,
+    };
+    mockNext = jest.fn();
+
+    (logger.warn as jest.Mock).mockClear();
+    (logger.debug as jest.Mock).mockClear();
+  });
+
+  describe('when no user is present', () => {
+    it('should return 401 with AUTHENTICATION_REQUIRED error', () => {
+      requireAdmin(mockReq as ServerRequest, mockRes as Response, mockNext);
+
+      expect(statusMock).toHaveBeenCalledWith(401);
+      expect(jsonMock).toHaveBeenCalledWith({
+        error: 'Authentication required',
+        error_code: 'AUTHENTICATION_REQUIRED',
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+      expect(logger.warn).toHaveBeenCalledWith('[requireAdmin] No user found in request');
+    });
+
+    it('should return 401 when user is undefined', () => {
+      mockReq.user = undefined;
+
+      requireAdmin(mockReq as ServerRequest, mockRes as Response, mockNext);
+
+      expect(statusMock).toHaveBeenCalledWith(401);
+      expect(jsonMock).toHaveBeenCalledWith({
+        error: 'Authentication required',
+        error_code: 'AUTHENTICATION_REQUIRED',
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('when user does not have admin role', () => {
+    it('should return 403 when user has no role property', () => {
+      mockReq.user = { email: 'user@test.com' } as ServerRequest['user'];
+
+      requireAdmin(mockReq as ServerRequest, mockRes as Response, mockNext);
+
+      expect(statusMock).toHaveBeenCalledWith(403);
+      expect(jsonMock).toHaveBeenCalledWith({
+        error: 'Access denied: Admin privileges required',
+        error_code: 'ADMIN_REQUIRED',
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+      expect(logger.debug).toHaveBeenCalledWith(
+        '[requireAdmin] Access denied for non-admin user: user@test.com',
+      );
+    });
+
+    it('should return 403 when user has USER role', () => {
+      mockReq.user = {
+        email: 'user@test.com',
+        role: SystemRoles.USER,
+      } as ServerRequest['user'];
+
+      requireAdmin(mockReq as ServerRequest, mockRes as Response, mockNext);
+
+      expect(statusMock).toHaveBeenCalledWith(403);
+      expect(jsonMock).toHaveBeenCalledWith({
+        error: 'Access denied: Admin privileges required',
+        error_code: 'ADMIN_REQUIRED',
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+    });
+
+    it('should return 403 when user has empty string role', () => {
+      mockReq.user = {
+        email: 'user@test.com',
+        role: '',
+      } as ServerRequest['user'];
+
+      requireAdmin(mockReq as ServerRequest, mockRes as Response, mockNext);
+
+      expect(statusMock).toHaveBeenCalledWith(403);
+      expect(jsonMock).toHaveBeenCalledWith({
+        error: 'Access denied: Admin privileges required',
+        error_code: 'ADMIN_REQUIRED',
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('when user has admin role', () => {
+    it('should call next() and not send response', () => {
+      mockReq.user = {
+        email: 'admin@test.com',
+        role: SystemRoles.ADMIN,
+      } as ServerRequest['user'];
+
+      requireAdmin(mockReq as ServerRequest, mockRes as Response, mockNext);
+
+      expect(mockNext).toHaveBeenCalledTimes(1);
+      expect(mockNext).toHaveBeenCalledWith();
+      expect(statusMock).not.toHaveBeenCalled();
+      expect(jsonMock).not.toHaveBeenCalled();
+    });
+
+    it('should not log any warnings or debug messages for admin users', () => {
+      mockReq.user = {
+        email: 'admin@test.com',
+        role: SystemRoles.ADMIN,
+      } as ServerRequest['user'];
+
+      requireAdmin(mockReq as ServerRequest, mockRes as Response, mockNext);
+
+      expect(logger.warn).not.toHaveBeenCalled();
+      expect(logger.debug).not.toHaveBeenCalled();
+    });
+  });
+});
diff --git a/packages/api/src/middleware/admin.ts b/packages/api/src/middleware/admin.ts
new file mode 100644
index 000000000000..d770adfd85a4
--- /dev/null
+++ b/packages/api/src/middleware/admin.ts
@@ -0,0 +1,28 @@
+import { logger } from '@librechat/data-schemas';
+import { SystemRoles } from 'librechat-data-provider';
+import type { NextFunction, Response } from 'express';
+import type { ServerRequest } from '~/types/http';
+
+/**
+ * Middleware to check if authenticated user has admin role.
+ * Should be used AFTER authentication middleware (requireJwtAuth, requireLocalAuth, etc.)
+ */
+export const requireAdmin = (req: ServerRequest, res: Response, next: NextFunction) => {
+  if (!req.user) {
+    logger.warn('[requireAdmin] No user found in request');
+    return res.status(401).json({
+      error: 'Authentication required',
+      error_code: 'AUTHENTICATION_REQUIRED',
+    });
+  }
+
+  if (!req.user.role || req.user.role !== SystemRoles.ADMIN) {
+    logger.debug(`[requireAdmin] Access denied for non-admin user: ${req.user.email}`);
+    return res.status(403).json({
+      error: 'Access denied: Admin privileges required',
+      error_code: 'ADMIN_REQUIRED',
+    });
+  }
+
+  next();
+};
diff --git a/packages/api/src/middleware/index.ts b/packages/api/src/middleware/index.ts
index 4398b35e14b1..a208923a493f 100644
--- a/packages/api/src/middleware/index.ts
+++ b/packages/api/src/middleware/index.ts
@@ -1,4 +1,5 @@
 export * from './access';
+export * from './admin';
 export * from './error';
 export * from './balance';
 export * from './json';
diff --git a/packages/api/src/tools/classification.spec.ts b/packages/api/src/tools/classification.spec.ts
new file mode 100644
index 000000000000..b0a24cb53870
--- /dev/null
+++ b/packages/api/src/tools/classification.spec.ts
@@ -0,0 +1,453 @@
+import {
+  parseToolList,
+  toolMatchesPatterns,
+  getServerNameFromTool,
+  buildToolRegistryFromEnv,
+  buildToolRegistryFromAgentOptions,
+  buildToolClassification,
+  agentHasDeferredTools,
+  agentHasProgrammaticTools,
+  isAgentAllowedForClassification,
+} from './classification';
+import type { ToolDefinition, LCToolRegistry } from './classification';
+import type { GenericTool } from '@librechat/agents';
+import type { AgentToolOptions } from 'librechat-data-provider';
+
+describe('classification.ts', () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = { ...originalEnv };
+    // Clear classification-related env vars
+    delete process.env.TOOL_PROGRAMMATIC_ONLY;
+    delete process.env.TOOL_PROGRAMMATIC_ONLY_EXCLUDE;
+    delete process.env.TOOL_DUAL_CONTEXT;
+    delete process.env.TOOL_DUAL_CONTEXT_EXCLUDE;
+    delete process.env.TOOL_DEFERRED;
+    delete process.env.TOOL_DEFERRED_EXCLUDE;
+    delete process.env.TOOL_CLASSIFICATION_AGENT_IDS;
+    delete process.env.TOOL_CLASSIFICATION_FROM_ENV;
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  describe('parseToolList', () => {
+    it('should return empty set for undefined input', () => {
+      const result = parseToolList(undefined);
+      expect(result.size).toBe(0);
+    });
+
+    it('should return empty set for empty string', () => {
+      const result = parseToolList('');
+      expect(result.size).toBe(0);
+    });
+
+    it('should return empty set for whitespace-only string', () => {
+      const result = parseToolList('   ');
+      expect(result.size).toBe(0);
+    });
+
+    it('should parse comma-separated tool names', () => {
+      const result = parseToolList('tool1,tool2,tool3');
+      expect(result.size).toBe(3);
+      expect(result.has('tool1')).toBe(true);
+      expect(result.has('tool2')).toBe(true);
+      expect(result.has('tool3')).toBe(true);
+    });
+
+    it('should trim whitespace from tool names', () => {
+      const result = parseToolList('  tool1  ,  tool2  ');
+      expect(result.size).toBe(2);
+      expect(result.has('tool1')).toBe(true);
+      expect(result.has('tool2')).toBe(true);
+    });
+
+    it('should filter out empty entries', () => {
+      const result = parseToolList('tool1,,tool2,,,tool3');
+      expect(result.size).toBe(3);
+    });
+  });
+
+  describe('getServerNameFromTool', () => {
+    it('should extract server name from MCP tool name', () => {
+      const result = getServerNameFromTool('list_files_mcp_Google-Workspace');
+      expect(result).toBe('Google-Workspace');
+    });
+
+    it('should return undefined for non-MCP tool', () => {
+      const result = getServerNameFromTool('simple_tool');
+      expect(result).toBeUndefined();
+    });
+
+    it('should handle multiple delimiters', () => {
+      const result = getServerNameFromTool('some_tool_mcp_Server_Name');
+      expect(result).toBe('Server_Name');
+    });
+  });
+
+  describe('toolMatchesPatterns', () => {
+    it('should return true for exact match', () => {
+      const patterns = new Set(['tool1', 'tool2']);
+      const excludes = new Set<string>();
+      expect(toolMatchesPatterns('tool1', patterns, excludes)).toBe(true);
+    });
+
+    it('should return false for non-matching tool', () => {
+      const patterns = new Set(['tool1', 'tool2']);
+      const excludes = new Set<string>();
+      expect(toolMatchesPatterns('tool3', patterns, excludes)).toBe(false);
+    });
+
+    it('should return false when tool is in excludes', () => {
+      const patterns = new Set(['tool1', 'tool2']);
+      const excludes = new Set(['tool1']);
+      expect(toolMatchesPatterns('tool1', patterns, excludes)).toBe(false);
+    });
+
+    it('should match server-wide pattern', () => {
+      const patterns = new Set(['sys__all__sys_mcp_Google-Workspace']);
+      const excludes = new Set<string>();
+      expect(toolMatchesPatterns('list_files_mcp_Google-Workspace', patterns, excludes)).toBe(true);
+    });
+
+    it('should respect excludes for server-wide patterns', () => {
+      const patterns = new Set(['sys__all__sys_mcp_Google-Workspace']);
+      const excludes = new Set(['list_files_mcp_Google-Workspace']);
+      expect(toolMatchesPatterns('list_files_mcp_Google-Workspace', patterns, excludes)).toBe(
+        false,
+      );
+    });
+  });
+
+  describe('buildToolRegistryFromEnv', () => {
+    it('should set defer_loading based on TOOL_DEFERRED env var', () => {
+      process.env.TOOL_DEFERRED = 'tool1,tool2';
+
+      const tools: ToolDefinition[] = [
+        { name: 'tool1', description: 'Tool 1' },
+        { name: 'tool2', description: 'Tool 2' },
+        { name: 'tool3', description: 'Tool 3' },
+      ];
+
+      const registry = buildToolRegistryFromEnv(tools);
+
+      expect(registry.get('tool1')?.defer_loading).toBe(true);
+      expect(registry.get('tool2')?.defer_loading).toBe(true);
+      expect(registry.get('tool3')?.defer_loading).toBe(false);
+    });
+
+    it('should respect TOOL_DEFERRED_EXCLUDE', () => {
+      process.env.TOOL_DEFERRED = 'sys__all__sys_mcp_TestServer';
+      process.env.TOOL_DEFERRED_EXCLUDE = 'tool2_mcp_TestServer';
+
+      const tools: ToolDefinition[] = [
+        { name: 'tool1_mcp_TestServer', description: 'Tool 1' },
+        { name: 'tool2_mcp_TestServer', description: 'Tool 2' },
+      ];
+
+      const registry = buildToolRegistryFromEnv(tools);
+
+      expect(registry.get('tool1_mcp_TestServer')?.defer_loading).toBe(true);
+      expect(registry.get('tool2_mcp_TestServer')?.defer_loading).toBe(false);
+    });
+
+    it('should set allowed_callers based on TOOL_PROGRAMMATIC_ONLY', () => {
+      process.env.TOOL_PROGRAMMATIC_ONLY = 'tool1';
+
+      const tools: ToolDefinition[] = [
+        { name: 'tool1', description: 'Tool 1' },
+        { name: 'tool2', description: 'Tool 2' },
+      ];
+
+      const registry = buildToolRegistryFromEnv(tools);
+
+      expect(registry.get('tool1')?.allowed_callers).toEqual(['code_execution']);
+      expect(registry.get('tool2')?.allowed_callers).toEqual(['direct']);
+    });
+
+    it('should set dual context callers based on TOOL_DUAL_CONTEXT', () => {
+      process.env.TOOL_DUAL_CONTEXT = 'tool1';
+
+      const tools: ToolDefinition[] = [{ name: 'tool1', description: 'Tool 1' }];
+
+      const registry = buildToolRegistryFromEnv(tools);
+
+      expect(registry.get('tool1')?.allowed_callers).toEqual(['direct', 'code_execution']);
+    });
+  });
+
+  describe('buildToolRegistryFromAgentOptions', () => {
+    it('should use agent tool options for defer_loading', () => {
+      const tools: ToolDefinition[] = [
+        { name: 'tool1', description: 'Tool 1' },
+        { name: 'tool2', description: 'Tool 2' },
+      ];
+
+      const agentToolOptions: AgentToolOptions = {
+        tool1: { defer_loading: true },
+        tool2: { defer_loading: false },
+      };
+
+      const registry = buildToolRegistryFromAgentOptions(tools, agentToolOptions);
+
+      expect(registry.get('tool1')?.defer_loading).toBe(true);
+      expect(registry.get('tool2')?.defer_loading).toBe(false);
+    });
+
+    it('should default defer_loading to false when not specified', () => {
+      const tools: ToolDefinition[] = [{ name: 'tool1', description: 'Tool 1' }];
+
+      const agentToolOptions: AgentToolOptions = {};
+
+      const registry = buildToolRegistryFromAgentOptions(tools, agentToolOptions);
+
+      expect(registry.get('tool1')?.defer_loading).toBe(false);
+    });
+
+    it('should use agent allowed_callers when specified', () => {
+      const tools: ToolDefinition[] = [{ name: 'tool1', description: 'Tool 1' }];
+
+      const agentToolOptions: AgentToolOptions = {
+        tool1: { allowed_callers: ['code_execution'] },
+      };
+
+      const registry = buildToolRegistryFromAgentOptions(tools, agentToolOptions);
+
+      expect(registry.get('tool1')?.allowed_callers).toEqual(['code_execution']);
+    });
+  });
+
+  describe('agentHasDeferredTools', () => {
+    it('should return true when registry has deferred tools', () => {
+      const registry: LCToolRegistry = new Map([
+        ['tool1', { name: 'tool1', allowed_callers: ['direct'], defer_loading: true }],
+        ['tool2', { name: 'tool2', allowed_callers: ['direct'], defer_loading: false }],
+      ]);
+
+      expect(agentHasDeferredTools(registry)).toBe(true);
+    });
+
+    it('should return false when no tools are deferred', () => {
+      const registry: LCToolRegistry = new Map([
+        ['tool1', { name: 'tool1', allowed_callers: ['direct'], defer_loading: false }],
+        ['tool2', { name: 'tool2', allowed_callers: ['direct'], defer_loading: false }],
+      ]);
+
+      expect(agentHasDeferredTools(registry)).toBe(false);
+    });
+
+    it('should return false for empty registry', () => {
+      const registry: LCToolRegistry = new Map();
+      expect(agentHasDeferredTools(registry)).toBe(false);
+    });
+  });
+
+  describe('agentHasProgrammaticTools', () => {
+    it('should return true when registry has programmatic tools', () => {
+      const registry: LCToolRegistry = new Map([
+        ['tool1', { name: 'tool1', allowed_callers: ['code_execution'], defer_loading: false }],
+      ]);
+
+      expect(agentHasProgrammaticTools(registry)).toBe(true);
+    });
+
+    it('should return true for dual context tools', () => {
+      const registry: LCToolRegistry = new Map([
+        [
+          'tool1',
+          { name: 'tool1', allowed_callers: ['direct', 'code_execution'], defer_loading: false },
+        ],
+      ]);
+
+      expect(agentHasProgrammaticTools(registry)).toBe(true);
+    });
+
+    it('should return false when no programmatic tools', () => {
+      const registry: LCToolRegistry = new Map([
+        ['tool1', { name: 'tool1', allowed_callers: ['direct'], defer_loading: false }],
+      ]);
+
+      expect(agentHasProgrammaticTools(registry)).toBe(false);
+    });
+  });
+
+  describe('isAgentAllowedForClassification', () => {
+    it('should return true when TOOL_CLASSIFICATION_AGENT_IDS is not set', () => {
+      expect(isAgentAllowedForClassification('any-agent-id')).toBe(true);
+    });
+
+    it('should return true when agent is in allowed list', () => {
+      process.env.TOOL_CLASSIFICATION_AGENT_IDS = 'agent1,agent2,agent3';
+      expect(isAgentAllowedForClassification('agent2')).toBe(true);
+    });
+
+    it('should return false when agent is not in allowed list', () => {
+      process.env.TOOL_CLASSIFICATION_AGENT_IDS = 'agent1,agent2';
+      expect(isAgentAllowedForClassification('agent3')).toBe(false);
+    });
+
+    it('should return false when agentId is undefined and list is set', () => {
+      process.env.TOOL_CLASSIFICATION_AGENT_IDS = 'agent1';
+      expect(isAgentAllowedForClassification(undefined)).toBe(false);
+    });
+  });
+
+  describe('buildToolClassification with deferredToolsEnabled', () => {
+    const mockLoadAuthValues = jest.fn().mockResolvedValue({});
+
+    const createMCPTool = (name: string, description?: string) =>
+      ({
+        name,
+        description,
+        mcp: true,
+        mcpJsonSchema: { type: 'object', properties: {} },
+      }) as unknown as GenericTool;
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+    });
+
+    it('should return hasDeferredTools: false when deferredToolsEnabled is false', async () => {
+      const loadedTools: GenericTool[] = [createMCPTool('tool1'), createMCPTool('tool2')];
+
+      const agentToolOptions: AgentToolOptions = {
+        tool1: { defer_loading: true },
+        tool2: { defer_loading: true },
+      };
+
+      const result = await buildToolClassification({
+        loadedTools,
+        userId: 'user1',
+        agentId: 'agent1',
+        agentToolOptions,
+        deferredToolsEnabled: false,
+        loadAuthValues: mockLoadAuthValues,
+      });
+
+      expect(result.hasDeferredTools).toBe(false);
+      expect(result.additionalTools.length).toBe(0);
+    });
+
+    it('should clear defer_loading from all tools when deferredToolsEnabled is false', async () => {
+      const loadedTools: GenericTool[] = [createMCPTool('tool1'), createMCPTool('tool2')];
+
+      const agentToolOptions: AgentToolOptions = {
+        tool1: { defer_loading: true },
+        tool2: { defer_loading: true },
+      };
+
+      const result = await buildToolClassification({
+        loadedTools,
+        userId: 'user1',
+        agentId: 'agent1',
+        agentToolOptions,
+        deferredToolsEnabled: false,
+        loadAuthValues: mockLoadAuthValues,
+      });
+
+      expect(result.toolRegistry).toBeDefined();
+      expect(result.toolRegistry?.get('tool1')?.defer_loading).toBe(false);
+      expect(result.toolRegistry?.get('tool2')?.defer_loading).toBe(false);
+    });
+
+    it('should preserve defer_loading when deferredToolsEnabled is true', async () => {
+      const loadedTools: GenericTool[] = [createMCPTool('tool1'), createMCPTool('tool2')];
+
+      const agentToolOptions: AgentToolOptions = {
+        tool1: { defer_loading: true },
+        tool2: { defer_loading: false },
+      };
+
+      const result = await buildToolClassification({
+        loadedTools,
+        userId: 'user1',
+        agentId: 'agent1',
+        agentToolOptions,
+        deferredToolsEnabled: true,
+        loadAuthValues: mockLoadAuthValues,
+      });
+
+      expect(result.hasDeferredTools).toBe(true);
+      expect(result.toolRegistry?.get('tool1')?.defer_loading).toBe(true);
+      expect(result.toolRegistry?.get('tool2')?.defer_loading).toBe(false);
+    });
+
+    it('should create tool search when deferredToolsEnabled is true and has deferred tools', async () => {
+      const loadedTools: GenericTool[] = [createMCPTool('tool1')];
+
+      const agentToolOptions: AgentToolOptions = {
+        tool1: { defer_loading: true },
+      };
+
+      const result = await buildToolClassification({
+        loadedTools,
+        userId: 'user1',
+        agentId: 'agent1',
+        agentToolOptions,
+        deferredToolsEnabled: true,
+        loadAuthValues: mockLoadAuthValues,
+      });
+
+      expect(result.hasDeferredTools).toBe(true);
+      expect(result.additionalTools.some((t) => t.name === 'tool_search')).toBe(true);
+    });
+
+    it('should NOT create tool search when deferredToolsEnabled is false', async () => {
+      const loadedTools: GenericTool[] = [createMCPTool('tool1')];
+
+      const agentToolOptions: AgentToolOptions = {
+        tool1: { defer_loading: true },
+      };
+
+      const result = await buildToolClassification({
+        loadedTools,
+        userId: 'user1',
+        agentId: 'agent1',
+        agentToolOptions,
+        deferredToolsEnabled: false,
+        loadAuthValues: mockLoadAuthValues,
+      });
+
+      expect(result.hasDeferredTools).toBe(false);
+      expect(result.additionalTools.some((t) => t.name === 'tool_search')).toBe(false);
+    });
+
+    it('should default deferredToolsEnabled to true when not specified', async () => {
+      const loadedTools: GenericTool[] = [createMCPTool('tool1')];
+
+      const agentToolOptions: AgentToolOptions = {
+        tool1: { defer_loading: true },
+      };
+
+      const result = await buildToolClassification({
+        loadedTools,
+        userId: 'user1',
+        agentId: 'agent1',
+        agentToolOptions,
+        loadAuthValues: mockLoadAuthValues,
+      });
+
+      expect(result.hasDeferredTools).toBe(true);
+    });
+
+    it('should return early when no MCP tools are present', async () => {
+      const loadedTools: GenericTool[] = [
+        { name: 'regular_tool', mcp: false } as unknown as GenericTool,
+      ];
+
+      const result = await buildToolClassification({
+        loadedTools,
+        userId: 'user1',
+        agentId: 'agent1',
+        deferredToolsEnabled: true,
+        loadAuthValues: mockLoadAuthValues,
+      });
+
+      expect(result.toolRegistry).toBeUndefined();
+      expect(result.hasDeferredTools).toBe(false);
+      expect(result.additionalTools.length).toBe(0);
+    });
+  });
+});
diff --git a/packages/api/src/tools/classification.ts b/packages/api/src/tools/classification.ts
new file mode 100644
index 000000000000..6ff8963dfcd3
--- /dev/null
+++ b/packages/api/src/tools/classification.ts
@@ -0,0 +1,512 @@
+/**
+ * @fileoverview Utility functions for building tool registries from environment variables.
+ * This is a temporary solution for tool classification until UI-based configuration is available.
+ *
+ * Environment Variables:
+ * - TOOL_PROGRAMMATIC_ONLY: Comma-separated tool names or server patterns (sys__all__sys_mcp_ServerName)
+ * - TOOL_PROGRAMMATIC_ONLY_EXCLUDE: Comma-separated tool names to exclude from programmatic only
+ * - TOOL_DUAL_CONTEXT: Comma-separated tool names or server patterns callable BOTH by LLM and PTC
+ * - TOOL_DUAL_CONTEXT_EXCLUDE: Comma-separated tool names to exclude from dual context
+ * - TOOL_DEFERRED: Comma-separated tool names or server patterns for deferred tools
+ * - TOOL_DEFERRED_EXCLUDE: Comma-separated tool names to exclude from deferred
+ * - TOOL_CLASSIFICATION_AGENT_IDS: Optional comma-separated agent IDs to restrict classification features
+ *
+ * Server patterns: Use `sys__all__sys_mcp_ServerName` to match all tools from an MCP server.
+ * Example: `sys__all__sys_mcp_Google-Workspace` matches all Google Workspace tools.
+ *
+ * Agent restriction: If TOOL_CLASSIFICATION_AGENT_IDS is set, only those agents will get
+ * PTC and tool search tools. If not set, all agents with matching tools get them.
+ *
+ * Smart enablement: PTC/tool search are only created if the agent has tools that actually
+ * match the classification patterns. An agent with no programmatic/deferred tools won't
+ * get PTC/tool search even if the env vars are set.
+ *
+ * @module packages/api/src/tools/classification
+ */
+
+import { logger } from '@librechat/data-schemas';
+import { Constants } from 'librechat-data-provider';
+import { EnvVar, createProgrammaticToolCallingTool, createToolSearch } from '@librechat/agents';
+import type { AgentToolOptions } from 'librechat-data-provider';
+import type {
+  LCToolRegistry,
+  JsonSchemaType,
+  AllowedCaller,
+  GenericTool,
+  LCTool,
+} from '@librechat/agents';
+
+export type { LCTool, LCToolRegistry, AllowedCaller, JsonSchemaType };
+
+/** Pattern prefix for matching all tools from an MCP server */
+const MCP_ALL_PATTERN = `${Constants.mcp_all}${Constants.mcp_delimiter}`;
+
+export interface ToolDefinition {
+  name: string;
+  description?: string;
+  parameters?: JsonSchemaType;
+}
+
+/**
+ * Parses a comma-separated tool list from an environment variable.
+ * @param envValue - The environment variable value
+ * @returns Set of tool names or server patterns
+ */
+export function parseToolList(envValue: string | undefined): Set<string> {
+  if (!envValue || envValue.trim() === '') {
+    return new Set();
+  }
+  return new Set(
+    envValue
+      .split(',')
+      .map((s) => s.trim())
+      .filter((s) => s.length > 0),
+  );
+}
+
+/**
+ * Extracts the MCP server name from a tool name.
+ * Tool names follow the pattern: toolName_mcp_ServerName
+ * @param toolName - The full tool name
+ * @returns The server name or undefined if not an MCP tool
+ */
+export function getServerNameFromTool(toolName: string): string | undefined {
+  const parts = toolName.split(Constants.mcp_delimiter);
+  if (parts.length >= 2) {
+    return parts[parts.length - 1];
+  }
+  return undefined;
+}
+
+/**
+ * Checks if a tool matches a set of patterns (tool names or server patterns).
+ * Supports both exact tool name matches and server-wide patterns like `mcp_all_mcp_ServerName`.
+ *
+ * @param toolName - The tool name to check
+ * @param patterns - Set of patterns (tool names or mcp_all_mcp_ServerName patterns)
+ * @param excludes - Set of tool names to exclude (takes precedence over patterns)
+ * @returns Whether the tool matches any pattern and is not excluded
+ */
+export function toolMatchesPatterns(
+  toolName: string,
+  patterns: Set<string>,
+  excludes: Set<string>,
+): boolean {
+  if (excludes.has(toolName)) {
+    return false;
+  }
+
+  if (patterns.has(toolName)) {
+    return true;
+  }
+
+  const serverName = getServerNameFromTool(toolName);
+  if (serverName) {
+    const serverPattern = `${MCP_ALL_PATTERN}${serverName}`;
+    if (patterns.has(serverPattern)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Builds a tool registry from environment variables for the given tools.
+ * This is a temporary solution while UI-based configuration is being developed.
+ *
+ * Supports server-wide patterns using `mcp_all_mcp_ServerName` syntax.
+ * Exclusion env vars take precedence over inclusion patterns.
+ *
+ * Default behavior (if tool not listed in any env var):
+ * - allowed_callers: ['direct']
+ * - defer_loading: false
+ *
+ * @param tools - Array of tool definitions
+ * @returns Map of tool name to tool definition with classification
+ *
+ * @example
+ * // Environment for server-wide configuration:
+ * // TOOL_PROGRAMMATIC_ONLY=mcp_all_mcp_Google-Workspace
+ * // TOOL_DEFERRED=mcp_all_mcp_Google-Workspace
+ * // TOOL_DEFERRED_EXCLUDE=list_spreadsheets_mcp_Google-Workspace,read_sheet_values_mcp_Google-Workspace
+ *
+ * @example
+ * // Environment for individual tools:
+ * // TOOL_PROGRAMMATIC_ONLY=get_expenses,get_team_members
+ * // TOOL_DUAL_CONTEXT=get_weather
+ * // TOOL_DEFERRED=generate_report
+ */
+export function buildToolRegistryFromEnv(tools: ToolDefinition[]): LCToolRegistry {
+  const programmaticOnly = parseToolList(process.env.TOOL_PROGRAMMATIC_ONLY);
+  const programmaticOnlyExclude = parseToolList(process.env.TOOL_PROGRAMMATIC_ONLY_EXCLUDE);
+  const dualContext = parseToolList(process.env.TOOL_DUAL_CONTEXT);
+  const dualContextExclude = parseToolList(process.env.TOOL_DUAL_CONTEXT_EXCLUDE);
+  const deferred = parseToolList(process.env.TOOL_DEFERRED);
+  const deferredExclude = parseToolList(process.env.TOOL_DEFERRED_EXCLUDE);
+
+  const registry: LCToolRegistry = new Map();
+
+  for (const tool of tools) {
+    const { name, description, parameters } = tool;
+
+    let allowed_callers: AllowedCaller[];
+
+    if (toolMatchesPatterns(name, programmaticOnly, programmaticOnlyExclude)) {
+      allowed_callers = ['code_execution'];
+    } else if (toolMatchesPatterns(name, dualContext, dualContextExclude)) {
+      allowed_callers = ['direct', 'code_execution'];
+    } else {
+      // Default: direct only (LLM can call, PTC cannot)
+      allowed_callers = ['direct'];
+    }
+
+    const toolDef: LCTool = {
+      name,
+      allowed_callers,
+      defer_loading: toolMatchesPatterns(name, deferred, deferredExclude),
+    };
+
+    // Include description and parameters if available (needed for tool search and PTC stub generation)
+    if (description) {
+      toolDef.description = description;
+    }
+    if (parameters) {
+      toolDef.parameters = parameters;
+    }
+
+    registry.set(name, toolDef);
+  }
+
+  return registry;
+}
+
+/**
+ * Builds a tool registry from agent-level tool_options.
+ * This takes precedence over environment variable configuration when provided.
+ *
+ * @param tools - Array of tool definitions
+ * @param agentToolOptions - Per-tool configuration from the agent
+ * @returns Map of tool name to tool definition with classification
+ */
+export function buildToolRegistryFromAgentOptions(
+  tools: ToolDefinition[],
+  agentToolOptions: AgentToolOptions,
+): LCToolRegistry {
+  /** Fall back to env vars for tools not configured at agent level */
+  const programmaticOnly = parseToolList(process.env.TOOL_PROGRAMMATIC_ONLY);
+  const programmaticOnlyExclude = parseToolList(process.env.TOOL_PROGRAMMATIC_ONLY_EXCLUDE);
+  const dualContext = parseToolList(process.env.TOOL_DUAL_CONTEXT);
+  const dualContextExclude = parseToolList(process.env.TOOL_DUAL_CONTEXT_EXCLUDE);
+
+  const registry: LCToolRegistry = new Map();
+
+  for (const tool of tools) {
+    const { name, description, parameters } = tool;
+    const agentOptions = agentToolOptions[name];
+
+    /** Determine allowed_callers: agent options take precedence, then env vars, then default */
+    let allowed_callers: AllowedCaller[];
+    if (agentOptions?.allowed_callers && agentOptions.allowed_callers.length > 0) {
+      allowed_callers = agentOptions.allowed_callers;
+    } else if (toolMatchesPatterns(name, programmaticOnly, programmaticOnlyExclude)) {
+      allowed_callers = ['code_execution'];
+    } else if (toolMatchesPatterns(name, dualContext, dualContextExclude)) {
+      allowed_callers = ['direct', 'code_execution'];
+    } else {
+      allowed_callers = ['direct'];
+    }
+
+    /** Determine defer_loading: agent options take precedence (explicit true/false) */
+    const defer_loading = agentOptions?.defer_loading === true;
+
+    const toolDef: LCTool = {
+      name,
+      allowed_callers,
+      defer_loading,
+    };
+
+    if (description) {
+      toolDef.description = description;
+    }
+    if (parameters) {
+      toolDef.parameters = parameters;
+    }
+
+    registry.set(name, toolDef);
+  }
+
+  return registry;
+}
+
+/**
+ * Checks if PTC (Programmatic Tool Calling) should be enabled based on environment configuration.
+ * PTC is enabled if any tools or server patterns are configured for programmatic calling.
+ * @returns Whether PTC should be enabled
+ */
+export function shouldEnablePTC(): boolean {
+  const programmaticOnly = parseToolList(process.env.TOOL_PROGRAMMATIC_ONLY);
+  const dualContext = parseToolList(process.env.TOOL_DUAL_CONTEXT);
+  return programmaticOnly.size > 0 || dualContext.size > 0;
+}
+
+/**
+ * Checks if tool search should be enabled based on environment configuration.
+ * Tool search is enabled if any tools or server patterns are configured as deferred.
+ * @returns Whether tool search should be enabled
+ */
+export function shouldEnableToolSearch(): boolean {
+  const deferred = parseToolList(process.env.TOOL_DEFERRED);
+  return deferred.size > 0;
+}
+
+interface MCPToolInstance {
+  name: string;
+  description?: string;
+  mcp?: boolean;
+  /** Original JSON schema attached at MCP tool creation time */
+  mcpJsonSchema?: JsonSchemaType;
+}
+
+/**
+ * Extracts MCP tool definition from a loaded tool instance.
+ * MCP tools have the original JSON schema attached as `mcpJsonSchema` property.
+ *
+ * @param tool - The loaded tool instance
+ * @returns Tool definition
+ */
+export function extractMCPToolDefinition(tool: MCPToolInstance): ToolDefinition {
+  const def: ToolDefinition = { name: tool.name };
+
+  if (tool.description) {
+    def.description = tool.description;
+  }
+
+  if (tool.mcpJsonSchema) {
+    def.parameters = tool.mcpJsonSchema;
+  }
+
+  return def;
+}
+
+/**
+ * Checks if a tool is an MCP tool based on its properties.
+ * @param tool - The tool to check (can be any object with potential mcp property)
+ * @returns Whether the tool is an MCP tool
+ */
+export function isMCPTool(tool: unknown): tool is MCPToolInstance {
+  return typeof tool === 'object' && tool !== null && (tool as MCPToolInstance).mcp === true;
+}
+
+/**
+ * Cleans up the temporary mcpJsonSchema property from MCP tools after registry is populated.
+ * This property is only needed during registry building and can be safely removed afterward.
+ *
+ * @param tools - Array of tools to clean up
+ */
+export function cleanupMCPToolSchemas(tools: MCPToolInstance[]): void {
+  for (const tool of tools) {
+    if (tool.mcpJsonSchema !== undefined) {
+      delete tool.mcpJsonSchema;
+    }
+  }
+}
+
+/** Parameters for building tool classification and creating PTC/tool search tools */
+export interface BuildToolClassificationParams {
+  /** All loaded tools (will be filtered for MCP tools) */
+  loadedTools: GenericTool[];
+  /** User ID for auth lookup */
+  userId: string;
+  /** Agent ID (used to check if this agent should have classification features) */
+  agentId?: string;
+  /** Per-tool configuration from the agent (takes precedence over env vars) */
+  agentToolOptions?: AgentToolOptions;
+  /** Whether the deferred_tools capability is enabled (from agent config) */
+  deferredToolsEnabled?: boolean;
+  /** Function to load auth values (dependency injection) */
+  loadAuthValues: (params: {
+    userId: string;
+    authFields: string[];
+  }) => Promise<Record<string, string>>;
+}
+
+/** Result from building tool classification */
+export interface BuildToolClassificationResult {
+  /** Tool registry built from MCP tools (undefined if no MCP tools) */
+  toolRegistry?: LCToolRegistry;
+  /** Additional tools created (PTC and/or tool search) */
+  additionalTools: GenericTool[];
+  /** Whether any tools have defer_loading enabled (precomputed for efficiency) */
+  hasDeferredTools: boolean;
+}
+
+/**
+ * Checks if an agent is allowed to have classification features based on TOOL_CLASSIFICATION_AGENT_IDS.
+ * If TOOL_CLASSIFICATION_AGENT_IDS is not set, all agents are allowed (including when no agentId).
+ * If set, requires agentId to be in the list.
+ * @param agentId - The agent ID to check
+ * @returns Whether the agent is allowed
+ */
+export function isAgentAllowedForClassification(agentId?: string): boolean {
+  const allowedAgentIds = parseToolList(process.env.TOOL_CLASSIFICATION_AGENT_IDS);
+  if (allowedAgentIds.size === 0) {
+    return true;
+  }
+  if (!agentId) {
+    return false;
+  }
+  return allowedAgentIds.has(agentId);
+}
+
+/**
+ * Checks if an agent's tools have any that match PTC patterns (programmatic only or dual context).
+ * @param toolRegistry - The tool registry to check
+ * @returns Whether any tools are configured for programmatic calling
+ */
+export function agentHasProgrammaticTools(toolRegistry: LCToolRegistry): boolean {
+  for (const toolDef of toolRegistry.values()) {
+    if (toolDef.allowed_callers?.includes('code_execution')) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Checks if an agent's tools have any that are deferred.
+ * @param toolRegistry - The tool registry to check
+ * @returns Whether any tools are configured as deferred
+ */
+export function agentHasDeferredTools(toolRegistry: LCToolRegistry): boolean {
+  for (const toolDef of toolRegistry.values()) {
+    if (toolDef.defer_loading === true) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Builds the tool registry from MCP tools and conditionally creates PTC and tool search tools.
+ *
+ * This function:
+ * 1. Checks if the agent is allowed for classification features (via TOOL_CLASSIFICATION_AGENT_IDS)
+ * 2. Filters loaded tools for MCP tools
+ * 3. Extracts tool definitions and builds the registry
+ *    - Uses agent's tool_options if provided (UI-based configuration)
+ *    - Falls back to env vars for tools not configured at agent level
+ * 4. Cleans up temporary mcpJsonSchema properties
+ * 5. Creates PTC tool only if agent has tools configured for programmatic calling
+ * 6. Creates tool search tool only if agent has deferred tools
+ *
+ * @param params - Parameters including loaded tools, userId, agentId, agentToolOptions, and dependencies
+ * @returns Tool registry and any additional tools created
+ */
+export async function buildToolClassification(
+  params: BuildToolClassificationParams,
+): Promise<BuildToolClassificationResult> {
+  const {
+    loadedTools,
+    userId,
+    agentId,
+    agentToolOptions,
+    deferredToolsEnabled = true,
+    loadAuthValues,
+  } = params;
+  const additionalTools: GenericTool[] = [];
+
+  /** Check if this agent is allowed to have classification features (requires agentId) */
+  if (!isAgentAllowedForClassification(agentId)) {
+    logger.debug(
+      `[buildToolClassification] Agent ${agentId ?? 'undefined'} not allowed for classification, skipping`,
+    );
+    return { toolRegistry: undefined, additionalTools, hasDeferredTools: false };
+  }
+
+  const mcpTools = loadedTools.filter(isMCPTool);
+  if (mcpTools.length === 0) {
+    return { toolRegistry: undefined, additionalTools, hasDeferredTools: false };
+  }
+
+  const mcpToolDefs = mcpTools.map(extractMCPToolDefinition);
+
+  /**
+   * Build registry from agent's tool_options if provided (UI config).
+   * Environment variable-based classification is only used as fallback
+   * when TOOL_CLASSIFICATION_FROM_ENV=true is explicitly set.
+   */
+  let toolRegistry: LCToolRegistry | undefined;
+
+  if (agentToolOptions && Object.keys(agentToolOptions).length > 0) {
+    toolRegistry = buildToolRegistryFromAgentOptions(mcpToolDefs, agentToolOptions);
+  } else if (process.env.TOOL_CLASSIFICATION_FROM_ENV === 'true') {
+    toolRegistry = buildToolRegistryFromEnv(mcpToolDefs);
+  } else {
+    /** No agent-level config and env-based classification not enabled */
+    return { toolRegistry: undefined, additionalTools, hasDeferredTools: false };
+  }
+
+  /** Clean up temporary mcpJsonSchema property from tools now that registry is populated */
+  cleanupMCPToolSchemas(mcpTools);
+
+  /**
+   * Check if this agent actually has tools that match the patterns.
+   * Only enable PTC if the agent has programmatic tools.
+   * Only enable tool search if the agent has deferred tools AND the capability is enabled.
+   */
+  const hasProgrammaticTools = agentHasProgrammaticTools(toolRegistry);
+  const hasDeferredTools = deferredToolsEnabled && agentHasDeferredTools(toolRegistry);
+
+  /**
+   * If deferred tools capability is disabled, clear defer_loading from all tools
+   * to ensure no tools are treated as deferred at runtime.
+   */
+  if (!deferredToolsEnabled) {
+    for (const toolDef of toolRegistry.values()) {
+      if (toolDef.defer_loading === true) {
+        toolDef.defer_loading = false;
+      }
+    }
+  }
+
+  if (!hasProgrammaticTools && !hasDeferredTools) {
+    logger.debug(
+      `[buildToolClassification] Agent ${agentId} has no programmatic or deferred tools, skipping PTC/ToolSearch`,
+    );
+    return { toolRegistry, additionalTools, hasDeferredTools: false };
+  }
+
+  /** Tool search uses local mode (no API key needed) */
+  if (hasDeferredTools) {
+    const toolSearchTool = createToolSearch({
+      mode: 'local',
+      toolRegistry,
+    });
+    additionalTools.push(toolSearchTool);
+    logger.debug(`[buildToolClassification] Tool Search enabled for agent ${agentId}`);
+  }
+
+  /** PTC requires CODE_API_KEY for sandbox execution */
+  if (hasProgrammaticTools) {
+    try {
+      const authValues = await loadAuthValues({
+        userId,
+        authFields: [EnvVar.CODE_API_KEY],
+      });
+      const codeApiKey = authValues[EnvVar.CODE_API_KEY];
+
+      if (!codeApiKey) {
+        logger.warn('[buildToolClassification] PTC configured but CODE_API_KEY not available');
+      } else {
+        const ptcTool = createProgrammaticToolCallingTool({ apiKey: codeApiKey });
+        additionalTools.push(ptcTool);
+        logger.debug(`[buildToolClassification] PTC tool enabled for agent ${agentId}`);
+      }
+    } catch (error) {
+      logger.error('[buildToolClassification] Error creating PTC tool:', error);
+    }
+  }
+
+  return { toolRegistry, additionalTools, hasDeferredTools };
+}
diff --git a/packages/api/src/tools/index.ts b/packages/api/src/tools/index.ts
index eb375902f1be..4dd8065c0520 100644
--- a/packages/api/src/tools/index.ts
+++ b/packages/api/src/tools/index.ts
@@ -1,2 +1,3 @@
 export * from './format';
 export * from './toolkits';
+export * from './classification';
diff --git a/packages/api/src/types/bedrock.ts b/packages/api/src/types/bedrock.ts
index 22c8464619a3..8f34b2864d19 100644
--- a/packages/api/src/types/bedrock.ts
+++ b/packages/api/src/types/bedrock.ts
@@ -21,6 +21,13 @@ export interface GuardrailConfiguration {
   trace?: 'enabled' | 'disabled' | 'enabled_full';
 }
 
+/**
+ * AWS Bedrock Inference Profile configuration
+ * Maps model IDs to their inference profile ARNs
+ * @see https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles.html
+ */
+export type InferenceProfileConfig = Record<string, string>;
+
 /**
  * Configuration options for Bedrock LLM
  */
@@ -36,6 +43,8 @@ export interface BedrockConfigOptions {
   endpointHost?: string;
   /** Guardrail configuration for content filtering */
   guardrailConfig?: GuardrailConfiguration;
+  /** Inference profile ARNs keyed by model ID / friendly name */
+  inferenceProfiles?: InferenceProfileConfig;
 }
 
 /**
@@ -48,6 +57,7 @@ export interface BedrockLLMConfigResult {
     credentials?: BedrockCredentials;
     endpointHost?: string;
     guardrailConfig?: GuardrailConfiguration;
+    applicationInferenceProfile?: string;
   };
   configOptions: Record<string, unknown>;
 }
diff --git a/packages/api/src/utils/env.ts b/packages/api/src/utils/env.ts
index 5a8ea19ac301..f4fd2b1c78ad 100644
--- a/packages/api/src/utils/env.ts
+++ b/packages/api/src/utils/env.ts
@@ -46,10 +46,10 @@ type SafeUser = Pick<IUser, AllowedUserField>;
  *   if (headerValue.startsWith('b64:')) {
  *     const decoded = Buffer.from(headerValue.slice(4), 'base64').toString('utf8');
  *   }
- * 
+ *
  * @param value - The string value to encode
  * @returns ASCII-safe string (encoded if necessary)
- * 
+ *
  * @example
  * encodeHeaderValue("José")   // Returns "José" (é = 233, safe)
  * encodeHeaderValue("Marić")  // Returns "b64:TWFyacSH" (ć = 263, needs encoding)
@@ -59,17 +59,17 @@ export function encodeHeaderValue(value: string): string {
   if (!value || typeof value !== 'string') {
     return '';
   }
-  
+
   // Check if string contains extended Unicode characters (> 255)
   // Characters 0-255 (ASCII + Latin-1) are safe and don't need encoding
   // Characters > 255 (e.g., ć=263, đ=272, ł=322) need Base64 encoding
   // eslint-disable-next-line no-control-regex
   const hasExtendedUnicode = /[^\u0000-\u00FF]/.test(value);
-  
+
   if (!hasExtendedUnicode) {
     return value; // Safe to pass through
   }
-  
+
   // Encode to Base64 for extended Unicode characters
   const base64 = Buffer.from(value, 'utf8').toString('base64');
   return `b64:${base64}`;
@@ -118,7 +118,11 @@ const ALLOWED_BODY_FIELDS = ['conversationId', 'parentMessageId', 'messageId'] a
  * @param isHeader - Whether this value will be used in an HTTP header
  * @returns The processed string with placeholders replaced (and encoded if necessary)
  */
-function processUserPlaceholders(value: string, user?: IUser, isHeader: boolean = false): string {
+function processUserPlaceholders(
+  value: string,
+  user?: Partial<IUser>,
+  isHeader: boolean = false,
+): string {
   if (!user || typeof value !== 'string') {
     return value;
   }
@@ -208,7 +212,7 @@ function processSingleValue({
 }: {
   originalValue: string;
   customUserVars?: Record<string, string>;
-  user?: IUser;
+  user?: Partial<IUser>;
   body?: RequestBody;
   isHeader?: boolean;
 }): string {
@@ -255,7 +259,7 @@ function processSingleValue({
  */
 export function processMCPEnv(params: {
   options: Readonly<MCPOptions>;
-  user?: IUser;
+  user?: Partial<IUser>;
   customUserVars?: Record<string, string>;
   body?: RequestBody;
 }): MCPOptions {
diff --git a/packages/api/src/utils/graph.spec.ts b/packages/api/src/utils/graph.spec.ts
new file mode 100644
index 000000000000..4f1fa14983ef
--- /dev/null
+++ b/packages/api/src/utils/graph.spec.ts
@@ -0,0 +1,467 @@
+import type { TUser } from 'librechat-data-provider';
+import type { GraphTokenResolver, GraphTokenOptions } from './graph';
+import {
+  containsGraphTokenPlaceholder,
+  recordContainsGraphTokenPlaceholder,
+  mcpOptionsContainGraphTokenPlaceholder,
+  resolveGraphTokenPlaceholder,
+  resolveGraphTokensInRecord,
+  preProcessGraphTokens,
+} from './graph';
+
+// Mock the logger
+jest.mock('@librechat/data-schemas', () => ({
+  logger: {
+    warn: jest.fn(),
+    error: jest.fn(),
+  },
+}));
+
+// Mock the oidc module
+jest.mock('./oidc', () => ({
+  GRAPH_TOKEN_PLACEHOLDER: '{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+  DEFAULT_GRAPH_SCOPES: 'https://graph.microsoft.com/.default',
+  extractOpenIDTokenInfo: jest.fn(),
+  isOpenIDTokenValid: jest.fn(),
+}));
+
+import { extractOpenIDTokenInfo, isOpenIDTokenValid } from './oidc';
+
+const mockExtractOpenIDTokenInfo = extractOpenIDTokenInfo as jest.Mock;
+const mockIsOpenIDTokenValid = isOpenIDTokenValid as jest.Mock;
+
+describe('Graph Token Utilities', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('containsGraphTokenPlaceholder', () => {
+    it('should return true when string contains the placeholder', () => {
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      expect(containsGraphTokenPlaceholder(value)).toBe(true);
+    });
+
+    it('should return false when string does not contain the placeholder', () => {
+      const value = 'Bearer some-static-token';
+      expect(containsGraphTokenPlaceholder(value)).toBe(false);
+    });
+
+    it('should return false for empty string', () => {
+      expect(containsGraphTokenPlaceholder('')).toBe(false);
+    });
+
+    it('should return false for non-string values', () => {
+      expect(containsGraphTokenPlaceholder(123 as unknown as string)).toBe(false);
+      expect(containsGraphTokenPlaceholder(null as unknown as string)).toBe(false);
+      expect(containsGraphTokenPlaceholder(undefined as unknown as string)).toBe(false);
+    });
+
+    it('should detect placeholder in the middle of a string', () => {
+      const value = 'prefix-{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}-suffix';
+      expect(containsGraphTokenPlaceholder(value)).toBe(true);
+    });
+  });
+
+  describe('recordContainsGraphTokenPlaceholder', () => {
+    it('should return true when any value contains the placeholder', () => {
+      const record = {
+        Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        'Content-Type': 'application/json',
+      };
+      expect(recordContainsGraphTokenPlaceholder(record)).toBe(true);
+    });
+
+    it('should return false when no value contains the placeholder', () => {
+      const record = {
+        Authorization: 'Bearer static-token',
+        'Content-Type': 'application/json',
+      };
+      expect(recordContainsGraphTokenPlaceholder(record)).toBe(false);
+    });
+
+    it('should return false for undefined record', () => {
+      expect(recordContainsGraphTokenPlaceholder(undefined)).toBe(false);
+    });
+
+    it('should return false for null record', () => {
+      expect(recordContainsGraphTokenPlaceholder(null as unknown as Record<string, string>)).toBe(
+        false,
+      );
+    });
+
+    it('should return false for empty record', () => {
+      expect(recordContainsGraphTokenPlaceholder({})).toBe(false);
+    });
+
+    it('should return false for non-object values', () => {
+      expect(recordContainsGraphTokenPlaceholder('string' as unknown as Record<string, string>)).toBe(
+        false,
+      );
+    });
+  });
+
+  describe('mcpOptionsContainGraphTokenPlaceholder', () => {
+    it('should return true when url contains the placeholder', () => {
+      const options = {
+        url: 'https://api.example.com?token={{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+      };
+      expect(mcpOptionsContainGraphTokenPlaceholder(options)).toBe(true);
+    });
+
+    it('should return true when headers contain the placeholder', () => {
+      const options = {
+        headers: {
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        },
+      };
+      expect(mcpOptionsContainGraphTokenPlaceholder(options)).toBe(true);
+    });
+
+    it('should return true when env contains the placeholder', () => {
+      const options = {
+        env: {
+          GRAPH_TOKEN: '{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        },
+      };
+      expect(mcpOptionsContainGraphTokenPlaceholder(options)).toBe(true);
+    });
+
+    it('should return false when no field contains the placeholder', () => {
+      const options = {
+        url: 'https://api.example.com',
+        headers: { Authorization: 'Bearer static-token' },
+        env: { API_KEY: 'some-key' },
+      };
+      expect(mcpOptionsContainGraphTokenPlaceholder(options)).toBe(false);
+    });
+
+    it('should return false for empty options', () => {
+      expect(mcpOptionsContainGraphTokenPlaceholder({})).toBe(false);
+    });
+  });
+
+  describe('resolveGraphTokenPlaceholder', () => {
+    const mockUser: Partial<TUser> = {
+      id: 'user-123',
+      provider: 'openid',
+      openidId: 'oidc-sub-456',
+    };
+
+    const mockGraphTokenResolver: GraphTokenResolver = jest.fn().mockResolvedValue({
+      access_token: 'resolved-graph-token',
+      token_type: 'Bearer',
+      expires_in: 3600,
+      scope: 'https://graph.microsoft.com/.default',
+    });
+
+    it('should return original value when no placeholder is present', async () => {
+      const value = 'Bearer static-token';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+      expect(result).toBe('Bearer static-token');
+    });
+
+    it('should return original value when user is not provided', async () => {
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+      expect(result).toBe(value);
+    });
+
+    it('should return original value when graphTokenResolver is not provided', async () => {
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+      });
+      expect(result).toBe(value);
+    });
+
+    it('should return original value when token info is invalid', async () => {
+      mockExtractOpenIDTokenInfo.mockReturnValue(null);
+
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+      expect(result).toBe(value);
+    });
+
+    it('should return original value when token is not valid', async () => {
+      mockExtractOpenIDTokenInfo.mockReturnValue({ accessToken: 'access-token' });
+      mockIsOpenIDTokenValid.mockReturnValue(false);
+
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+      expect(result).toBe(value);
+    });
+
+    it('should return original value when access token is missing', async () => {
+      mockExtractOpenIDTokenInfo.mockReturnValue({ userId: 'user-123' });
+      mockIsOpenIDTokenValid.mockReturnValue(true);
+
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+      expect(result).toBe(value);
+    });
+
+    it('should resolve placeholder with graph token', async () => {
+      mockExtractOpenIDTokenInfo.mockReturnValue({ accessToken: 'access-token' });
+      mockIsOpenIDTokenValid.mockReturnValue(true);
+
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+      expect(result).toBe('Bearer resolved-graph-token');
+    });
+
+    it('should resolve multiple placeholders in a string', async () => {
+      mockExtractOpenIDTokenInfo.mockReturnValue({ accessToken: 'access-token' });
+      mockIsOpenIDTokenValid.mockReturnValue(true);
+
+      const value =
+        'Primary: {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}, Secondary: {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+        graphTokenResolver: mockGraphTokenResolver,
+      });
+      expect(result).toBe('Primary: resolved-graph-token, Secondary: resolved-graph-token');
+    });
+
+    it('should return original value when graph token exchange fails', async () => {
+      mockExtractOpenIDTokenInfo.mockReturnValue({ accessToken: 'access-token' });
+      mockIsOpenIDTokenValid.mockReturnValue(true);
+      const failingResolver: GraphTokenResolver = jest.fn().mockRejectedValue(new Error('Exchange failed'));
+
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+        graphTokenResolver: failingResolver,
+      });
+      expect(result).toBe(value);
+    });
+
+    it('should return original value when graph token response has no access_token', async () => {
+      mockExtractOpenIDTokenInfo.mockReturnValue({ accessToken: 'access-token' });
+      mockIsOpenIDTokenValid.mockReturnValue(true);
+      const emptyResolver: GraphTokenResolver = jest.fn().mockResolvedValue({});
+
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      const result = await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+        graphTokenResolver: emptyResolver,
+      });
+      expect(result).toBe(value);
+    });
+
+    it('should use provided scopes', async () => {
+      mockExtractOpenIDTokenInfo.mockReturnValue({ accessToken: 'access-token' });
+      mockIsOpenIDTokenValid.mockReturnValue(true);
+
+      const value = 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+      await resolveGraphTokenPlaceholder(value, {
+        user: mockUser as TUser,
+        graphTokenResolver: mockGraphTokenResolver,
+        scopes: 'custom-scope',
+      });
+
+      expect(mockGraphTokenResolver).toHaveBeenCalledWith(
+        mockUser,
+        'access-token',
+        'custom-scope',
+        true,
+      );
+    });
+  });
+
+  describe('resolveGraphTokensInRecord', () => {
+    const mockUser: Partial<TUser> = {
+      id: 'user-123',
+      provider: 'openid',
+    };
+
+    const mockGraphTokenResolver: GraphTokenResolver = jest.fn().mockResolvedValue({
+      access_token: 'resolved-graph-token',
+      token_type: 'Bearer',
+      expires_in: 3600,
+      scope: 'https://graph.microsoft.com/.default',
+    });
+
+    const options: GraphTokenOptions = {
+      user: mockUser as TUser,
+      graphTokenResolver: mockGraphTokenResolver,
+    };
+
+    beforeEach(() => {
+      mockExtractOpenIDTokenInfo.mockReturnValue({ accessToken: 'access-token' });
+      mockIsOpenIDTokenValid.mockReturnValue(true);
+    });
+
+    it('should return undefined for undefined record', async () => {
+      const result = await resolveGraphTokensInRecord(undefined, options);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return record unchanged when no placeholders present', async () => {
+      const record = {
+        Authorization: 'Bearer static-token',
+        'Content-Type': 'application/json',
+      };
+      const result = await resolveGraphTokensInRecord(record, options);
+      expect(result).toEqual(record);
+    });
+
+    it('should resolve placeholders in record values', async () => {
+      const record = {
+        Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        'Content-Type': 'application/json',
+      };
+      const result = await resolveGraphTokensInRecord(record, options);
+      expect(result).toEqual({
+        Authorization: 'Bearer resolved-graph-token',
+        'Content-Type': 'application/json',
+      });
+    });
+
+    it('should handle non-string values gracefully', async () => {
+      const record = {
+        Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        numericValue: 123 as unknown as string,
+      };
+      const result = await resolveGraphTokensInRecord(record, options);
+      expect(result).toEqual({
+        Authorization: 'Bearer resolved-graph-token',
+        numericValue: 123,
+      });
+    });
+  });
+
+  describe('preProcessGraphTokens', () => {
+    const mockUser: Partial<TUser> = {
+      id: 'user-123',
+      provider: 'openid',
+    };
+
+    const mockGraphTokenResolver: GraphTokenResolver = jest.fn().mockResolvedValue({
+      access_token: 'resolved-graph-token',
+      token_type: 'Bearer',
+      expires_in: 3600,
+      scope: 'https://graph.microsoft.com/.default',
+    });
+
+    const graphOptions: GraphTokenOptions = {
+      user: mockUser as TUser,
+      graphTokenResolver: mockGraphTokenResolver,
+    };
+
+    beforeEach(() => {
+      mockExtractOpenIDTokenInfo.mockReturnValue({ accessToken: 'access-token' });
+      mockIsOpenIDTokenValid.mockReturnValue(true);
+    });
+
+    it('should return options unchanged when no placeholders present', async () => {
+      const options = {
+        url: 'https://api.example.com',
+        headers: { Authorization: 'Bearer static-token' },
+        env: { API_KEY: 'some-key' },
+      };
+      const result = await preProcessGraphTokens(options, graphOptions);
+      expect(result).toEqual(options);
+    });
+
+    it('should resolve placeholder in url', async () => {
+      const options = {
+        url: 'https://api.example.com?token={{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+      };
+      const result = await preProcessGraphTokens(options, graphOptions);
+      expect(result.url).toBe('https://api.example.com?token=resolved-graph-token');
+    });
+
+    it('should resolve placeholder in headers', async () => {
+      const options = {
+        headers: {
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+          'Content-Type': 'application/json',
+        },
+      };
+      const result = await preProcessGraphTokens(options, graphOptions);
+      expect(result.headers).toEqual({
+        Authorization: 'Bearer resolved-graph-token',
+        'Content-Type': 'application/json',
+      });
+    });
+
+    it('should resolve placeholder in env', async () => {
+      const options = {
+        env: {
+          GRAPH_TOKEN: '{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+          OTHER_VAR: 'static-value',
+        },
+      };
+      const result = await preProcessGraphTokens(options, graphOptions);
+      expect(result.env).toEqual({
+        GRAPH_TOKEN: 'resolved-graph-token',
+        OTHER_VAR: 'static-value',
+      });
+    });
+
+    it('should resolve placeholders in all fields simultaneously', async () => {
+      const options = {
+        url: 'https://api.example.com?token={{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        headers: {
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        },
+        env: {
+          GRAPH_TOKEN: '{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        },
+      };
+      const result = await preProcessGraphTokens(options, graphOptions);
+      expect(result.url).toBe('https://api.example.com?token=resolved-graph-token');
+      expect(result.headers).toEqual({
+        Authorization: 'Bearer resolved-graph-token',
+      });
+      expect(result.env).toEqual({
+        GRAPH_TOKEN: 'resolved-graph-token',
+      });
+    });
+
+    it('should not mutate the original options object', async () => {
+      const options = {
+        url: 'https://api.example.com?token={{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        headers: {
+          Authorization: 'Bearer {{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        },
+      };
+      const originalUrl = options.url;
+      const originalAuth = options.headers.Authorization;
+
+      await preProcessGraphTokens(options, graphOptions);
+
+      expect(options.url).toBe(originalUrl);
+      expect(options.headers.Authorization).toBe(originalAuth);
+    });
+
+    it('should preserve additional properties in generic type', async () => {
+      const options = {
+        url: 'https://api.example.com?token={{LIBRECHAT_GRAPH_ACCESS_TOKEN}}',
+        customProperty: 'custom-value',
+        anotherProperty: 42,
+      };
+      const result = await preProcessGraphTokens(options, graphOptions);
+      expect(result.customProperty).toBe('custom-value');
+      expect(result.anotherProperty).toBe(42);
+      expect(result.url).toBe('https://api.example.com?token=resolved-graph-token');
+    });
+  });
+});
diff --git a/packages/api/src/utils/graph.ts b/packages/api/src/utils/graph.ts
new file mode 100644
index 000000000000..0ff3fc3583e8
--- /dev/null
+++ b/packages/api/src/utils/graph.ts
@@ -0,0 +1,215 @@
+import { logger } from '@librechat/data-schemas';
+import type { IUser } from '@librechat/data-schemas';
+import {
+  GRAPH_TOKEN_PLACEHOLDER,
+  DEFAULT_GRAPH_SCOPES,
+  extractOpenIDTokenInfo,
+  isOpenIDTokenValid,
+} from './oidc';
+
+/**
+ * Pre-computed regex for matching the Graph token placeholder.
+ * Escapes curly braces in the placeholder string for safe regex use.
+ */
+const GRAPH_TOKEN_REGEX = new RegExp(
+  GRAPH_TOKEN_PLACEHOLDER.replace(/[{}]/g, '\\$&'),
+  'g',
+);
+
+/**
+ * Response from a Graph API token exchange.
+ */
+export interface GraphTokenResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  scope: string;
+}
+
+/**
+ * Function type for resolving Graph API tokens via OBO flow.
+ * This function is injected from the main API layer since it requires
+ * access to OpenID configuration and caching services.
+ */
+export type GraphTokenResolver = (
+  user: IUser,
+  accessToken: string,
+  scopes: string,
+  fromCache?: boolean,
+) => Promise<GraphTokenResponse>;
+
+/**
+ * Options for processing Graph token placeholders.
+ */
+export interface GraphTokenOptions {
+  user?: IUser;
+  graphTokenResolver?: GraphTokenResolver;
+  scopes?: string;
+}
+
+/**
+ * Checks if a string contains the Graph token placeholder.
+ * @param value - The string to check
+ * @returns True if the placeholder is present
+ */
+export function containsGraphTokenPlaceholder(value: string): boolean {
+  return typeof value === 'string' && value.includes(GRAPH_TOKEN_PLACEHOLDER);
+}
+
+/**
+ * Checks if any value in a record contains the Graph token placeholder.
+ * @param record - The record to check (e.g., headers, env vars)
+ * @returns True if any value contains the placeholder
+ */
+export function recordContainsGraphTokenPlaceholder(
+  record: Record<string, string> | undefined,
+): boolean {
+  if (!record || typeof record !== 'object') {
+    return false;
+  }
+  return Object.values(record).some(containsGraphTokenPlaceholder);
+}
+
+/**
+ * Checks if MCP options contain the Graph token placeholder in headers, env, or url.
+ * @param options - The MCP options object
+ * @returns True if any field contains the placeholder
+ */
+export function mcpOptionsContainGraphTokenPlaceholder(options: {
+  headers?: Record<string, string>;
+  env?: Record<string, string>;
+  url?: string;
+}): boolean {
+  if (options.url && containsGraphTokenPlaceholder(options.url)) {
+    return true;
+  }
+  if (recordContainsGraphTokenPlaceholder(options.headers)) {
+    return true;
+  }
+  if (recordContainsGraphTokenPlaceholder(options.env)) {
+    return true;
+  }
+  return false;
+}
+
+/**
+ * Asynchronously resolves Graph token placeholders in a string.
+ * This function must be called before the synchronous processMCPEnv pipeline.
+ *
+ * @param value - The string containing the placeholder
+ * @param options - Options including user and graph token resolver
+ * @returns The string with Graph token placeholder replaced
+ */
+export async function resolveGraphTokenPlaceholder(
+  value: string,
+  options: GraphTokenOptions,
+): Promise<string> {
+  if (!containsGraphTokenPlaceholder(value)) {
+    return value;
+  }
+
+  const { user, graphTokenResolver, scopes } = options;
+
+  if (!user || !graphTokenResolver) {
+    logger.warn(
+      '[resolveGraphTokenPlaceholder] User or graphTokenResolver not provided, cannot resolve Graph token',
+    );
+    return value;
+  }
+
+  const tokenInfo = extractOpenIDTokenInfo(user);
+  if (!tokenInfo || !isOpenIDTokenValid(tokenInfo)) {
+    logger.warn(
+      '[resolveGraphTokenPlaceholder] No valid OpenID token available for Graph token exchange',
+    );
+    return value;
+  }
+
+  if (!tokenInfo.accessToken) {
+    logger.warn('[resolveGraphTokenPlaceholder] No access token available for OBO exchange');
+    return value;
+  }
+
+  try {
+    const graphScopes = scopes || process.env.GRAPH_API_SCOPES || DEFAULT_GRAPH_SCOPES;
+    const graphTokenResponse = await graphTokenResolver(
+      user,
+      tokenInfo.accessToken,
+      graphScopes,
+      true, // Use cache
+    );
+
+    if (graphTokenResponse?.access_token) {
+      return value.replace(GRAPH_TOKEN_REGEX, graphTokenResponse.access_token);
+    }
+
+    logger.warn('[resolveGraphTokenPlaceholder] Graph token exchange did not return an access token');
+    return value;
+  } catch (error) {
+    logger.error('[resolveGraphTokenPlaceholder] Failed to exchange token for Graph API:', error);
+    return value;
+  }
+}
+
+/**
+ * Asynchronously resolves Graph token placeholders in a record of string values.
+ *
+ * @param record - The record containing placeholders (e.g., headers)
+ * @param options - Options including user and graph token resolver
+ * @returns The record with Graph token placeholders replaced
+ */
+export async function resolveGraphTokensInRecord(
+  record: Record<string, string> | undefined,
+  options: GraphTokenOptions,
+): Promise<Record<string, string> | undefined> {
+  if (!record || typeof record !== 'object') {
+    return record;
+  }
+
+  if (!recordContainsGraphTokenPlaceholder(record)) {
+    return record;
+  }
+
+  const resolved: Record<string, string> = {};
+  for (const [key, value] of Object.entries(record)) {
+    resolved[key] = await resolveGraphTokenPlaceholder(value, options);
+  }
+  return resolved;
+}
+
+/**
+ * Pre-processes MCP options to resolve Graph token placeholders.
+ * This must be called before processMCPEnv since Graph token resolution is async.
+ *
+ * @param options - The MCP options object
+ * @param graphOptions - Options for Graph token resolution
+ * @returns The options with Graph token placeholders resolved
+ */
+export async function preProcessGraphTokens<T extends {
+  headers?: Record<string, string>;
+  env?: Record<string, string>;
+  url?: string;
+}>(
+  options: T,
+  graphOptions: GraphTokenOptions,
+): Promise<T> {
+  if (!mcpOptionsContainGraphTokenPlaceholder(options)) {
+    return options;
+  }
+
+  const result = { ...options };
+
+  if (result.url && containsGraphTokenPlaceholder(result.url)) {
+    result.url = await resolveGraphTokenPlaceholder(result.url, graphOptions);
+  }
+
+  if (result.headers) {
+    result.headers = await resolveGraphTokensInRecord(result.headers, graphOptions);
+  }
+
+  if (result.env) {
+    result.env = await resolveGraphTokensInRecord(result.env, graphOptions);
+  }
+
+  return result;
+}
diff --git a/packages/api/src/utils/index.ts b/packages/api/src/utils/index.ts
index 947e566ce090..d4351eb5a07a 100644
--- a/packages/api/src/utils/index.ts
+++ b/packages/api/src/utils/index.ts
@@ -7,11 +7,13 @@ export * from './env';
 export * from './events';
 export * from './files';
 export * from './generators';
+export * from './graph';
 export * from './path';
 export * from './key';
 export * from './latex';
 export * from './llm';
 export * from './math';
+export * from './oidc';
 export * from './openid';
 export * from './promise';
 export * from './sanitizeTitle';
diff --git a/packages/api/src/utils/message.spec.ts b/packages/api/src/utils/message.spec.ts
index 144ebc1a9248..ba626c83fda7 100644
--- a/packages/api/src/utils/message.spec.ts
+++ b/packages/api/src/utils/message.spec.ts
@@ -1,4 +1,8 @@
-import { sanitizeFileForTransmit, sanitizeMessageForTransmit } from './message';
+import { Constants } from 'librechat-data-provider';
+import { sanitizeFileForTransmit, sanitizeMessageForTransmit, getThreadData } from './message';
+
+/** Cast to string for type compatibility with ThreadMessage */
+const NO_PARENT = Constants.NO_PARENT as string;
 
 describe('sanitizeFileForTransmit', () => {
   it('should remove text field from file', () => {
@@ -120,3 +124,272 @@ describe('sanitizeMessageForTransmit', () => {
     expect(message.files[0].text).toBe('original text');
   });
 });
+
+describe('getThreadData', () => {
+  describe('edge cases - empty and null inputs', () => {
+    it('should return empty result for empty messages array', () => {
+      const result = getThreadData([], 'parent-123');
+
+      expect(result.messageIds).toEqual([]);
+      expect(result.fileIds).toEqual([]);
+    });
+
+    it('should return empty result for null parentMessageId', () => {
+      const messages = [
+        { messageId: 'msg-1', parentMessageId: null },
+        { messageId: 'msg-2', parentMessageId: 'msg-1' },
+      ];
+
+      const result = getThreadData(messages, null);
+
+      expect(result.messageIds).toEqual([]);
+      expect(result.fileIds).toEqual([]);
+    });
+
+    it('should return empty result for undefined parentMessageId', () => {
+      const messages = [{ messageId: 'msg-1', parentMessageId: null }];
+
+      const result = getThreadData(messages, undefined);
+
+      expect(result.messageIds).toEqual([]);
+      expect(result.fileIds).toEqual([]);
+    });
+
+    it('should return empty result when parentMessageId not found in messages', () => {
+      const messages = [
+        { messageId: 'msg-1', parentMessageId: null },
+        { messageId: 'msg-2', parentMessageId: 'msg-1' },
+      ];
+
+      const result = getThreadData(messages, 'non-existent');
+
+      expect(result.messageIds).toEqual([]);
+      expect(result.fileIds).toEqual([]);
+    });
+  });
+
+  describe('thread traversal', () => {
+    it('should traverse a simple linear thread', () => {
+      const messages = [
+        { messageId: 'msg-1', parentMessageId: NO_PARENT },
+        { messageId: 'msg-2', parentMessageId: 'msg-1' },
+        { messageId: 'msg-3', parentMessageId: 'msg-2' },
+      ];
+
+      const result = getThreadData(messages, 'msg-3');
+
+      expect(result.messageIds).toEqual(['msg-3', 'msg-2', 'msg-1']);
+      expect(result.fileIds).toEqual([]);
+    });
+
+    it('should stop at NO_PARENT constant', () => {
+      const messages = [
+        { messageId: 'msg-1', parentMessageId: NO_PARENT },
+        { messageId: 'msg-2', parentMessageId: 'msg-1' },
+      ];
+
+      const result = getThreadData(messages, 'msg-2');
+
+      expect(result.messageIds).toEqual(['msg-2', 'msg-1']);
+    });
+
+    it('should collect only messages in the thread branch', () => {
+      // Branched conversation: msg-1 -> msg-2 -> msg-3 (branch A)
+      //                       msg-1 -> msg-4 -> msg-5 (branch B)
+      const messages = [
+        { messageId: 'msg-1', parentMessageId: NO_PARENT },
+        { messageId: 'msg-2', parentMessageId: 'msg-1' },
+        { messageId: 'msg-3', parentMessageId: 'msg-2' },
+        { messageId: 'msg-4', parentMessageId: 'msg-1' },
+        { messageId: 'msg-5', parentMessageId: 'msg-4' },
+      ];
+
+      const resultBranchA = getThreadData(messages, 'msg-3');
+      expect(resultBranchA.messageIds).toEqual(['msg-3', 'msg-2', 'msg-1']);
+
+      const resultBranchB = getThreadData(messages, 'msg-5');
+      expect(resultBranchB.messageIds).toEqual(['msg-5', 'msg-4', 'msg-1']);
+    });
+
+    it('should handle single message thread', () => {
+      const messages = [{ messageId: 'msg-1', parentMessageId: NO_PARENT }];
+
+      const result = getThreadData(messages, 'msg-1');
+
+      expect(result.messageIds).toEqual(['msg-1']);
+      expect(result.fileIds).toEqual([]);
+    });
+  });
+
+  describe('circular reference protection', () => {
+    it('should handle circular references without infinite loop', () => {
+      // Malformed data: msg-2 points to msg-3 which points back to msg-2
+      const messages = [
+        { messageId: 'msg-1', parentMessageId: NO_PARENT },
+        { messageId: 'msg-2', parentMessageId: 'msg-3' },
+        { messageId: 'msg-3', parentMessageId: 'msg-2' },
+      ];
+
+      const result = getThreadData(messages, 'msg-2');
+
+      // Should stop when encountering a visited ID
+      expect(result.messageIds).toEqual(['msg-2', 'msg-3']);
+      expect(result.fileIds).toEqual([]);
+    });
+
+    it('should handle self-referencing message', () => {
+      const messages = [{ messageId: 'msg-1', parentMessageId: 'msg-1' }];
+
+      const result = getThreadData(messages, 'msg-1');
+
+      expect(result.messageIds).toEqual(['msg-1']);
+    });
+  });
+
+  describe('file ID collection', () => {
+    it('should collect file IDs from messages with files', () => {
+      const messages = [
+        {
+          messageId: 'msg-1',
+          parentMessageId: NO_PARENT,
+          files: [{ file_id: 'file-1' }, { file_id: 'file-2' }],
+        },
+        {
+          messageId: 'msg-2',
+          parentMessageId: 'msg-1',
+          files: [{ file_id: 'file-3' }],
+        },
+      ];
+
+      const result = getThreadData(messages, 'msg-2');
+
+      expect(result.messageIds).toEqual(['msg-2', 'msg-1']);
+      expect(result.fileIds).toContain('file-1');
+      expect(result.fileIds).toContain('file-2');
+      expect(result.fileIds).toContain('file-3');
+      expect(result.fileIds).toHaveLength(3);
+    });
+
+    it('should deduplicate file IDs across messages', () => {
+      const messages = [
+        {
+          messageId: 'msg-1',
+          parentMessageId: NO_PARENT,
+          files: [{ file_id: 'file-shared' }, { file_id: 'file-1' }],
+        },
+        {
+          messageId: 'msg-2',
+          parentMessageId: 'msg-1',
+          files: [{ file_id: 'file-shared' }, { file_id: 'file-2' }],
+        },
+      ];
+
+      const result = getThreadData(messages, 'msg-2');
+
+      expect(result.fileIds).toContain('file-shared');
+      expect(result.fileIds).toContain('file-1');
+      expect(result.fileIds).toContain('file-2');
+      expect(result.fileIds).toHaveLength(3);
+    });
+
+    it('should skip files without file_id', () => {
+      const messages = [
+        {
+          messageId: 'msg-1',
+          parentMessageId: NO_PARENT,
+          files: [{ file_id: 'file-1' }, { file_id: undefined }, { file_id: '' }],
+        },
+      ];
+
+      const result = getThreadData(messages, 'msg-1');
+
+      expect(result.fileIds).toEqual(['file-1']);
+    });
+
+    it('should handle messages with empty files array', () => {
+      const messages = [
+        {
+          messageId: 'msg-1',
+          parentMessageId: NO_PARENT,
+          files: [],
+        },
+        {
+          messageId: 'msg-2',
+          parentMessageId: 'msg-1',
+          files: [{ file_id: 'file-1' }],
+        },
+      ];
+
+      const result = getThreadData(messages, 'msg-2');
+
+      expect(result.messageIds).toEqual(['msg-2', 'msg-1']);
+      expect(result.fileIds).toEqual(['file-1']);
+    });
+
+    it('should handle messages without files property', () => {
+      const messages = [
+        { messageId: 'msg-1', parentMessageId: NO_PARENT },
+        {
+          messageId: 'msg-2',
+          parentMessageId: 'msg-1',
+          files: [{ file_id: 'file-1' }],
+        },
+      ];
+
+      const result = getThreadData(messages, 'msg-2');
+
+      expect(result.messageIds).toEqual(['msg-2', 'msg-1']);
+      expect(result.fileIds).toEqual(['file-1']);
+    });
+
+    it('should only collect files from messages in the thread', () => {
+      // msg-3 is not in the thread from msg-2
+      const messages = [
+        {
+          messageId: 'msg-1',
+          parentMessageId: NO_PARENT,
+          files: [{ file_id: 'file-1' }],
+        },
+        {
+          messageId: 'msg-2',
+          parentMessageId: 'msg-1',
+          files: [{ file_id: 'file-2' }],
+        },
+        {
+          messageId: 'msg-3',
+          parentMessageId: 'msg-1',
+          files: [{ file_id: 'file-3' }],
+        },
+      ];
+
+      const result = getThreadData(messages, 'msg-2');
+
+      expect(result.fileIds).toContain('file-1');
+      expect(result.fileIds).toContain('file-2');
+      expect(result.fileIds).not.toContain('file-3');
+    });
+  });
+
+  describe('performance - O(1) lookups', () => {
+    it('should handle large message arrays efficiently', () => {
+      // Create a linear thread of 1000 messages
+      const messages = [];
+      for (let i = 0; i < 1000; i++) {
+        messages.push({
+          messageId: `msg-${i}`,
+          parentMessageId: i === 0 ? NO_PARENT : `msg-${i - 1}`,
+          files: [{ file_id: `file-${i}` }],
+        });
+      }
+
+      const startTime = performance.now();
+      const result = getThreadData(messages, 'msg-999');
+      const endTime = performance.now();
+
+      expect(result.messageIds).toHaveLength(1000);
+      expect(result.fileIds).toHaveLength(1000);
+      // Should complete in reasonable time (< 100ms for 1000 messages)
+      expect(endTime - startTime).toBeLessThan(100);
+    });
+  });
+});
diff --git a/packages/api/src/utils/message.ts b/packages/api/src/utils/message.ts
index 312826b6ba46..b1e939c6d7ce 100644
--- a/packages/api/src/utils/message.ts
+++ b/packages/api/src/utils/message.ts
@@ -1,3 +1,4 @@
+import { Constants } from 'librechat-data-provider';
 import type { TFile, TMessage } from 'librechat-data-provider';
 
 /** Fields to strip from files before client transmission */
@@ -66,3 +67,74 @@ export function sanitizeMessageForTransmit<T extends Partial<TMessage>>(
 
   return sanitized;
 }
+
+/** Minimal message shape for thread traversal */
+type ThreadMessage = {
+  messageId: string;
+  parentMessageId?: string | null;
+  files?: Array<{ file_id?: string }>;
+};
+
+/** Result of thread data extraction */
+export type ThreadData = {
+  messageIds: string[];
+  fileIds: string[];
+};
+
+/**
+ * Extracts thread message IDs and file IDs in a single O(n) pass.
+ * Builds a Map for O(1) lookups, then traverses the thread collecting both IDs.
+ *
+ * @param messages - All messages in the conversation (should be queried with select for efficiency)
+ * @param parentMessageId - The ID of the parent message to start traversal from
+ * @returns Object containing messageIds and fileIds arrays
+ */
+export function getThreadData(
+  messages: ThreadMessage[],
+  parentMessageId: string | null | undefined,
+): ThreadData {
+  const result: ThreadData = { messageIds: [], fileIds: [] };
+
+  if (!messages || messages.length === 0 || !parentMessageId) {
+    return result;
+  }
+
+  /** Build Map for O(1) lookups instead of O(n) .find() calls */
+  const messageMap = new Map<string, ThreadMessage>();
+  for (const msg of messages) {
+    messageMap.set(msg.messageId, msg);
+  }
+
+  const fileIdSet = new Set<string>();
+  const visitedIds = new Set<string>();
+  let currentId: string | null | undefined = parentMessageId;
+
+  /** Single traversal: collect message IDs and file IDs together */
+  while (currentId) {
+    if (visitedIds.has(currentId)) {
+      break;
+    }
+    visitedIds.add(currentId);
+
+    const message = messageMap.get(currentId);
+    if (!message) {
+      break;
+    }
+
+    result.messageIds.push(message.messageId);
+
+    /** Collect file IDs from this message */
+    if (message.files) {
+      for (const file of message.files) {
+        if (file.file_id) {
+          fileIdSet.add(file.file_id);
+        }
+      }
+    }
+
+    currentId = message.parentMessageId === Constants.NO_PARENT ? null : message.parentMessageId;
+  }
+
+  result.fileIds = Array.from(fileIdSet);
+  return result;
+}
diff --git a/packages/api/src/utils/oidc.spec.ts b/packages/api/src/utils/oidc.spec.ts
index a5312e9c69e0..0c403e091df9 100644
--- a/packages/api/src/utils/oidc.spec.ts
+++ b/packages/api/src/utils/oidc.spec.ts
@@ -1,4 +1,9 @@
-import { extractOpenIDTokenInfo, isOpenIDTokenValid, processOpenIDPlaceholders } from './oidc';
+import {
+  extractOpenIDTokenInfo,
+  isOpenIDTokenValid,
+  processOpenIDPlaceholders,
+  extractSubFromAccessToken,
+} from './oidc';
 import type { TUser } from 'librechat-data-provider';
 
 describe('OpenID Token Utilities', () => {
@@ -479,4 +484,101 @@ describe('OpenID Token Utilities', () => {
       expect(tokenInfo).toBeNull();
     });
   });
+
+  describe('extractSubFromAccessToken', () => {
+    it('should extract sub claim from valid JWT access token', () => {
+      // Create a mock JWT: header.payload.signature
+      const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64');
+      const payload = Buffer.from(
+        JSON.stringify({ sub: 'cognito-sub-12345', aud: 'test-client-id' }),
+      ).toString('base64');
+      const signature = 'mock-signature';
+      const mockJWT = `${header}.${payload}.${signature}`;
+
+      const result = extractSubFromAccessToken(mockJWT);
+
+      expect(result.sub).toBe('cognito-sub-12345');
+      expect(result.error).toBeUndefined();
+    });
+
+    it('should return null when access token is undefined', () => {
+      const result = extractSubFromAccessToken(undefined);
+
+      expect(result.sub).toBeNull();
+      expect(result.error).toBe('No access token provided');
+    });
+
+    it('should return null when access token is empty string', () => {
+      const result = extractSubFromAccessToken('');
+
+      expect(result.sub).toBeNull();
+      expect(result.error).toBe('No access token provided');
+    });
+
+    it('should return null when JWT format is invalid (not 3 parts)', () => {
+      const invalidJWT = 'invalid.jwt';
+
+      const result = extractSubFromAccessToken(invalidJWT);
+
+      expect(result.sub).toBeNull();
+      expect(result.error).toBe('Invalid JWT format');
+    });
+
+    it('should return null when JWT has no sub claim', () => {
+      const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64');
+      const payload = Buffer.from(JSON.stringify({ aud: 'test-client-id' })).toString('base64');
+      const signature = 'mock-signature';
+      const mockJWT = `${header}.${payload}.${signature}`;
+
+      const result = extractSubFromAccessToken(mockJWT);
+
+      expect(result.sub).toBeNull();
+      expect(result.error).toBe('No sub claim in access token');
+    });
+
+    it('should handle decode errors gracefully', () => {
+      // Provide a JWT with invalid base64 in the payload
+      const invalidJWT = 'header.!!!invalid-base64!!!.signature';
+
+      const result = extractSubFromAccessToken(invalidJWT);
+
+      expect(result.sub).toBeNull();
+      expect(result.error).toBeDefined();
+    });
+
+    it('should handle JWT with empty sub claim', () => {
+      const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64');
+      const payload = Buffer.from(JSON.stringify({ sub: '', aud: 'test-client-id' })).toString(
+        'base64',
+      );
+      const signature = 'mock-signature';
+      const mockJWT = `${header}.${payload}.${signature}`;
+
+      const result = extractSubFromAccessToken(mockJWT);
+
+      expect(result.sub).toBeNull();
+      expect(result.error).toBe('No sub claim in access token');
+    });
+
+    it('should extract sub claim when JWT has additional claims', () => {
+      const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64');
+      const payload = Buffer.from(
+        JSON.stringify({
+          sub: 'user-sub-xyz',
+          aud: 'test-client',
+          iss: 'https://cognito.amazonaws.com',
+          exp: 1234567890,
+          iat: 1234567800,
+          email: 'user@example.com',
+        }),
+      ).toString('base64');
+      const signature = 'mock-signature';
+      const mockJWT = `${header}.${payload}.${signature}`;
+
+      const result = extractSubFromAccessToken(mockJWT);
+
+      expect(result.sub).toBe('user-sub-xyz');
+      expect(result.error).toBeUndefined();
+    });
+  });
 });
diff --git a/packages/api/src/utils/oidc.ts b/packages/api/src/utils/oidc.ts
index cebda91e6969..711ca56603ad 100644
--- a/packages/api/src/utils/oidc.ts
+++ b/packages/api/src/utils/oidc.ts
@@ -34,7 +34,22 @@ const OPENID_TOKEN_FIELDS = [
   'EXPIRES_AT',
 ] as const;
 
-export function extractOpenIDTokenInfo(user: IUser | null | undefined): OpenIDTokenInfo | null {
+/**
+ * Placeholder for Microsoft Graph API access token.
+ * This placeholder is resolved asynchronously via OBO (On-Behalf-Of) flow
+ * and requires special handling outside the synchronous processMCPEnv pipeline.
+ */
+export const GRAPH_TOKEN_PLACEHOLDER = '{{LIBRECHAT_GRAPH_ACCESS_TOKEN}}';
+
+/**
+ * Default Microsoft Graph API scopes for OBO token exchange.
+ * Can be overridden via GRAPH_API_SCOPES environment variable.
+ */
+export const DEFAULT_GRAPH_SCOPES = 'https://graph.microsoft.com/.default';
+
+export function extractOpenIDTokenInfo(
+  user: Partial<IUser> | null | undefined,
+): OpenIDTokenInfo | null {
   if (!user) {
     return null;
   }
@@ -174,3 +189,58 @@ export function isOpenIDAvailable(): boolean {
 
   return !!(openidClientId && openidClientSecret && openidIssuer);
 }
+
+export interface ExtractedSubClaim {
+  sub: string | null;
+  error?: string;
+}
+
+/**
+ * Extracts the `sub` claim from an OpenID access token.
+ *
+ * This function decodes the JWT access token and extracts the OpenID provider's
+ * subject identifier (sub claim), which is typically a unique identifier for the
+ * user in the identity provider (e.g., Cognito sub).
+ *
+ * @param accessToken - The OpenID access token to decode
+ * @returns An object containing the sub claim or null if extraction fails
+ *
+ * @example
+ * ```typescript
+ * const result = extractSubFromAccessToken('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...');
+ * if (result.sub) {
+ *   console.log('Subject:', result.sub);
+ * }
+ * ```
+ */
+export function extractSubFromAccessToken(accessToken: string | undefined): ExtractedSubClaim {
+  if (!accessToken) {
+    logger.debug('[extractSubFromAccessToken] No access token provided');
+    return { sub: null, error: 'No access token provided' };
+  }
+
+  try {
+    // Decode JWT without verification (we only need to read the payload)
+    const parts = accessToken.split('.');
+    if (parts.length !== 3) {
+      logger.debug('[extractSubFromAccessToken] Invalid JWT format');
+      return { sub: null, error: 'Invalid JWT format' };
+    }
+
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+
+    if (!payload.sub) {
+      logger.debug('[extractSubFromAccessToken] No sub claim in access token');
+      return { sub: null, error: 'No sub claim in access token' };
+    }
+
+    logger.debug('[extractSubFromAccessToken] Successfully extracted sub claim:', payload.sub);
+    return { sub: payload.sub };
+  } catch (error) {
+    logger.error('[extractSubFromAccessToken] Failed to decode access token:', error);
+    return {
+      sub: null,
+      error: error instanceof Error ? error.message : 'Failed to decode access token',
+    };
+  }
+}
diff --git a/packages/data-provider/src/accessPermissions.ts b/packages/data-provider/src/accessPermissions.ts
index 5fa288e4b3ae..f2431fcf9ae7 100644
--- a/packages/data-provider/src/accessPermissions.ts
+++ b/packages/data-provider/src/accessPermissions.ts
@@ -46,6 +46,7 @@ export enum ResourceType {
   AGENT = 'agent',
   PROMPTGROUP = 'promptGroup',
   MCPSERVER = 'mcpServer',
+  REMOTE_AGENT = 'remoteAgent',
 }
 
 /**
@@ -75,6 +76,9 @@ export enum AccessRoleIds {
   MCPSERVER_VIEWER = 'mcpServer_viewer',
   MCPSERVER_EDITOR = 'mcpServer_editor',
   MCPSERVER_OWNER = 'mcpServer_owner',
+  REMOTE_AGENT_VIEWER = 'remoteAgent_viewer',
+  REMOTE_AGENT_EDITOR = 'remoteAgent_editor',
+  REMOTE_AGENT_OWNER = 'remoteAgent_owner',
 }
 
 // ===== ZOD SCHEMAS =====
@@ -310,11 +314,22 @@ export function permBitsToAccessLevel(permBits: number): TAccessLevel {
 export function accessRoleToPermBits(accessRoleId: string): number {
   switch (accessRoleId) {
     case AccessRoleIds.AGENT_VIEWER:
+    case AccessRoleIds.PROMPTGROUP_VIEWER:
+    case AccessRoleIds.MCPSERVER_VIEWER:
+    case AccessRoleIds.REMOTE_AGENT_VIEWER:
       return PermissionBits.VIEW;
     case AccessRoleIds.AGENT_EDITOR:
+    case AccessRoleIds.PROMPTGROUP_EDITOR:
+    case AccessRoleIds.MCPSERVER_EDITOR:
+    case AccessRoleIds.REMOTE_AGENT_EDITOR:
       return PermissionBits.VIEW | PermissionBits.EDIT;
     case AccessRoleIds.AGENT_OWNER:
-      return PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE;
+    case AccessRoleIds.PROMPTGROUP_OWNER:
+    case AccessRoleIds.MCPSERVER_OWNER:
+    case AccessRoleIds.REMOTE_AGENT_OWNER:
+      return (
+        PermissionBits.VIEW | PermissionBits.EDIT | PermissionBits.DELETE | PermissionBits.SHARE
+      );
     default:
       return PermissionBits.VIEW;
   }
diff --git a/packages/data-provider/src/api-endpoints.ts b/packages/data-provider/src/api-endpoints.ts
index ef7e0d6cfbd1..d49535b0942d 100644
--- a/packages/data-provider/src/api-endpoints.ts
+++ b/packages/data-provider/src/api-endpoints.ts
@@ -95,6 +95,12 @@ export const revokeUserKey = (name: string) => `${keysEndpoint}/${name}`;
 
 export const revokeAllUserKeys = () => `${keysEndpoint}?all=true`;
 
+const apiKeysEndpoint = `${BASE_URL}/api/api-keys`;
+
+export const apiKeys = () => apiKeysEndpoint;
+
+export const apiKeyById = (id: string) => `${apiKeysEndpoint}/${id}`;
+
 export const conversationsRoot = `${BASE_URL}/api/convos`;
 
 export const conversations = (params: q.ConversationListParams) => {
@@ -329,6 +335,8 @@ export const updateAgentPermissions = (roleName: string) => `${getRole(roleName)
 export const updatePeoplePickerPermissions = (roleName: string) =>
   `${getRole(roleName)}/people-picker`;
 export const updateMCPServersPermissions = (roleName: string) => `${getRole(roleName)}/mcp-servers`;
+export const updateRemoteAgentsPermissions = (roleName: string) =>
+  `${getRole(roleName)}/remote-agents`;
 
 export const updateMarketplacePermissions = (roleName: string) =>
   `${getRole(roleName)}/marketplace`;
diff --git a/packages/data-provider/src/config.ts b/packages/data-provider/src/config.ts
index 45c964cbd8a2..de4c317f120c 100644
--- a/packages/data-provider/src/config.ts
+++ b/packages/data-provider/src/config.ts
@@ -177,6 +177,7 @@ export enum Capabilities {
 export enum AgentCapabilities {
   hide_sequential_outputs = 'hide_sequential_outputs',
   end_after_tools = 'end_after_tools',
+  deferred_tools = 'deferred_tools',
   execute_code = 'execute_code',
   file_search = 'file_search',
   web_search = 'web_search',
@@ -211,6 +212,8 @@ export type TBaseEndpoint = z.infer<typeof baseEndpointSchema>;
 export const bedrockEndpointSchema = baseEndpointSchema.merge(
   z.object({
     availableRegions: z.array(z.string()).optional(),
+    models: z.array(z.string()).optional(),
+    inferenceProfiles: z.record(z.string(), z.string()).optional(),
   }),
 );
 
@@ -259,6 +262,7 @@ export const assistantEndpointSchema = baseEndpointSchema.merge(
 export type TAssistantEndpoint = z.infer<typeof assistantEndpointSchema>;
 
 export const defaultAgentCapabilities = [
+  AgentCapabilities.deferred_tools,
   AgentCapabilities.execute_code,
   AgentCapabilities.file_search,
   AgentCapabilities.web_search,
@@ -656,6 +660,14 @@ export const interfaceSchema = z
       .optional(),
     fileSearch: z.boolean().optional(),
     fileCitations: z.boolean().optional(),
+    remoteAgents: z
+      .object({
+        use: z.boolean().optional(),
+        create: z.boolean().optional(),
+        share: z.boolean().optional(),
+        public: z.boolean().optional(),
+      })
+      .optional(),
   })
   .default({
     endpointsMenu: true,
@@ -695,6 +707,12 @@ export const interfaceSchema = z
     },
     fileSearch: true,
     fileCitations: true,
+    remoteAgents: {
+      use: false,
+      create: false,
+      share: false,
+      public: false,
+    },
   });
 
 export type TInterfaceConfig = z.infer<typeof interfaceSchema>;
@@ -981,7 +999,7 @@ export const configSchema = z.object({
       [EModelEndpoint.assistants]: assistantEndpointSchema.optional(),
       [EModelEndpoint.agents]: agentsEndpointSchema.optional(),
       [EModelEndpoint.custom]: customEndpointsSchema.optional(),
-      [EModelEndpoint.bedrock]: baseEndpointSchema.optional(),
+      [EModelEndpoint.bedrock]: bedrockEndpointSchema.optional(),
     })
     .strict()
     .refine((data) => Object.keys(data).length > 0, {
@@ -1434,6 +1452,10 @@ export enum CacheKeys {
    * Key for SAML session.
    */
   SAML_SESSION = 'SAML_SESSION',
+  /**
+   * Key for admin panel OAuth exchange codes (one-time-use, short TTL).
+   */
+  ADMIN_OAUTH_EXCHANGE = 'ADMIN_OAUTH_EXCHANGE',
 }
 
 /**
@@ -1750,6 +1772,8 @@ export enum Constants {
   LC_TRANSFER_TO_ = 'lc_transfer_to_',
   /** Placeholder Agent ID for Ephemeral Agents */
   EPHEMERAL_AGENT_ID = 'ephemeral',
+  /** Programmatic Tool Calling tool name */
+  PROGRAMMATIC_TOOL_CALLING = 'run_tools_with_code',
 }
 
 export enum LocalStorageKeys {
diff --git a/packages/data-provider/src/data-service.ts b/packages/data-provider/src/data-service.ts
index 911cc7863cbc..8919e2589bd5 100644
--- a/packages/data-provider/src/data-service.ts
+++ b/packages/data-provider/src/data-service.ts
@@ -81,6 +81,20 @@ export function updateUserKey(payload: t.TUpdateUserKeyRequest) {
   return request.put(endpoints.keys(), payload);
 }
 
+export function getAgentApiKeys(): Promise<t.TAgentApiKeyListResponse> {
+  return request.get(endpoints.apiKeys());
+}
+
+export function createAgentApiKey(
+  payload: t.TAgentApiKeyCreateRequest,
+): Promise<t.TAgentApiKeyCreateResponse> {
+  return request.post(endpoints.apiKeys(), payload);
+}
+
+export function deleteAgentApiKey(id: string): Promise<void> {
+  return request.delete(endpoints.apiKeyById(id));
+}
+
 export function getPresets(): Promise<s.TPreset[]> {
   return request.get(endpoints.presets());
 }
@@ -877,6 +891,15 @@ export function updateMCPServersPermissions(
   return request.put(endpoints.updateMCPServersPermissions(variables.roleName), variables.updates);
 }
 
+export function updateRemoteAgentsPermissions(
+  variables: m.UpdateRemoteAgentsPermVars,
+): Promise<m.UpdatePermResponse> {
+  return request.put(
+    endpoints.updateRemoteAgentsPermissions(variables.roleName),
+    variables.updates,
+  );
+}
+
 export function updateMarketplacePermissions(
   variables: m.UpdateMarketplacePermVars,
 ): Promise<m.UpdatePermResponse> {
diff --git a/packages/data-provider/src/file-config.ts b/packages/data-provider/src/file-config.ts
index 8dc3445be083..b2c24a47a0f9 100644
--- a/packages/data-provider/src/file-config.ts
+++ b/packages/data-provider/src/file-config.ts
@@ -198,8 +198,15 @@ export const codeTypeMapping: { [key: string]: string } = {
   ts: 'application/typescript', // .ts - TypeScript source
   tar: 'application/x-tar', // .tar - Tar archive
   zip: 'application/zip', // .zip - ZIP archive
+  txt: 'text/plain', // .txt - Plain text file
   log: 'text/plain', // .log - Log file
+  csv: 'text/csv', // .csv - Comma-separated values
   tsv: 'text/tab-separated-values', // .tsv - Tab-separated values
+  json: 'application/json', // .json - JSON file
+  xml: 'application/xml', // .xml - XML file
+  html: 'text/html', // .html - HTML file
+  htm: 'text/html', // .htm - HTML file
+  css: 'text/css', // .css - CSS file
   yml: 'application/yaml', // .yml - YAML
   yaml: 'application/yaml', // .yaml - YAML
   sql: 'application/sql', // .sql - SQL (IANA registered)
diff --git a/packages/data-provider/src/keys.ts b/packages/data-provider/src/keys.ts
index 235baf4ebef3..a5e67878ed41 100644
--- a/packages/data-provider/src/keys.ts
+++ b/packages/data-provider/src/keys.ts
@@ -62,6 +62,8 @@ export enum QueryKeys {
   mcpServer = 'mcpServer',
   /* Active Jobs */
   activeJobs = 'activeJobs',
+  /* Agent API Keys */
+  agentApiKeys = 'agentApiKeys',
 }
 
 // Dynamic query keys that require parameters
@@ -70,6 +72,8 @@ export const DynamicQueryKeys = {
 } as const;
 
 export enum MutationKeys {
+  createAgentApiKey = 'createAgentApiKey',
+  deleteAgentApiKey = 'deleteAgentApiKey',
   fileUpload = 'fileUpload',
   fileDelete = 'fileDelete',
   updatePreset = 'updatePreset',
diff --git a/packages/data-provider/src/permissions.ts b/packages/data-provider/src/permissions.ts
index 0d53dbe29b47..7a3144c82d54 100644
--- a/packages/data-provider/src/permissions.ts
+++ b/packages/data-provider/src/permissions.ts
@@ -56,6 +56,10 @@ export enum PermissionTypes {
    * Type for MCP Server Permissions
    */
   MCP_SERVERS = 'MCP_SERVERS',
+  /**
+   * Type for Remote Agent (API) Permissions
+   */
+  REMOTE_AGENTS = 'REMOTE_AGENTS',
 }
 
 /**
@@ -157,6 +161,14 @@ export const mcpServersPermissionsSchema = z.object({
 });
 export type TMcpServersPermissions = z.infer<typeof mcpServersPermissionsSchema>;
 
+export const remoteAgentsPermissionsSchema = z.object({
+  [Permissions.USE]: z.boolean().default(false),
+  [Permissions.CREATE]: z.boolean().default(false),
+  [Permissions.SHARE]: z.boolean().default(false),
+  [Permissions.SHARE_PUBLIC]: z.boolean().default(false),
+});
+export type TRemoteAgentsPermissions = z.infer<typeof remoteAgentsPermissionsSchema>;
+
 // Define a single permissions schema that holds all permission types.
 export const permissionsSchema = z.object({
   [PermissionTypes.PROMPTS]: promptPermissionsSchema,
@@ -172,4 +184,5 @@ export const permissionsSchema = z.object({
   [PermissionTypes.FILE_SEARCH]: fileSearchPermissionsSchema,
   [PermissionTypes.FILE_CITATIONS]: fileCitationsPermissionsSchema,
   [PermissionTypes.MCP_SERVERS]: mcpServersPermissionsSchema,
+  [PermissionTypes.REMOTE_AGENTS]: remoteAgentsPermissionsSchema,
 });
diff --git a/packages/data-provider/src/react-query/react-query-service.ts b/packages/data-provider/src/react-query/react-query-service.ts
index cd259fb50c9d..9d08d9d56aba 100644
--- a/packages/data-provider/src/react-query/react-query-service.ts
+++ b/packages/data-provider/src/react-query/react-query-service.ts
@@ -524,3 +524,43 @@ export const useMCPServerConnectionStatusQuery = (
     },
   );
 };
+
+export const useGetAgentApiKeysQuery = (
+  config?: UseQueryOptions<t.TAgentApiKeyListResponse>,
+): QueryObserverResult<t.TAgentApiKeyListResponse> => {
+  return useQuery<t.TAgentApiKeyListResponse>(
+    [QueryKeys.agentApiKeys],
+    () => dataService.getAgentApiKeys(),
+    {
+      refetchOnWindowFocus: false,
+      refetchOnReconnect: false,
+      refetchOnMount: false,
+      ...config,
+    },
+  );
+};
+
+export const useCreateAgentApiKeyMutation = (): UseMutationResult<
+  t.TAgentApiKeyCreateResponse,
+  unknown,
+  t.TAgentApiKeyCreateRequest
+> => {
+  const queryClient = useQueryClient();
+  return useMutation(
+    (payload: t.TAgentApiKeyCreateRequest) => dataService.createAgentApiKey(payload),
+    {
+      onSuccess: () => {
+        queryClient.invalidateQueries([QueryKeys.agentApiKeys]);
+      },
+    },
+  );
+};
+
+export const useDeleteAgentApiKeyMutation = (): UseMutationResult<void, unknown, string> => {
+  const queryClient = useQueryClient();
+  return useMutation((id: string) => dataService.deleteAgentApiKey(id), {
+    onSuccess: () => {
+      queryClient.invalidateQueries([QueryKeys.agentApiKeys]);
+    },
+  });
+};
diff --git a/packages/data-provider/src/roles.ts b/packages/data-provider/src/roles.ts
index b3d44a49d91a..b494ee581704 100644
--- a/packages/data-provider/src/roles.ts
+++ b/packages/data-provider/src/roles.ts
@@ -11,10 +11,11 @@ import {
   webSearchPermissionsSchema,
   fileSearchPermissionsSchema,
   multiConvoPermissionsSchema,
-  temporaryChatPermissionsSchema,
+  mcpServersPermissionsSchema,
   peoplePickerPermissionsSchema,
+  remoteAgentsPermissionsSchema,
+  temporaryChatPermissionsSchema,
   fileCitationsPermissionsSchema,
-  mcpServersPermissionsSchema,
 } from './permissions';
 
 /**
@@ -96,6 +97,12 @@ const defaultRolesSchema = z.object({
         [Permissions.SHARE]: z.boolean().default(true),
         [Permissions.SHARE_PUBLIC]: z.boolean().default(true),
       }),
+      [PermissionTypes.REMOTE_AGENTS]: remoteAgentsPermissionsSchema.extend({
+        [Permissions.USE]: z.boolean().default(true),
+        [Permissions.CREATE]: z.boolean().default(true),
+        [Permissions.SHARE]: z.boolean().default(true),
+        [Permissions.SHARE_PUBLIC]: z.boolean().default(true),
+      }),
     }),
   }),
   [SystemRoles.USER]: roleSchema.extend({
@@ -162,6 +169,12 @@ export const roleDefaults = defaultRolesSchema.parse({
         [Permissions.SHARE]: true,
         [Permissions.SHARE_PUBLIC]: true,
       },
+      [PermissionTypes.REMOTE_AGENTS]: {
+        [Permissions.USE]: true,
+        [Permissions.CREATE]: true,
+        [Permissions.SHARE]: true,
+        [Permissions.SHARE_PUBLIC]: true,
+      },
     },
   },
   [SystemRoles.USER]: {
@@ -186,6 +199,7 @@ export const roleDefaults = defaultRolesSchema.parse({
       [PermissionTypes.FILE_SEARCH]: {},
       [PermissionTypes.FILE_CITATIONS]: {},
       [PermissionTypes.MCP_SERVERS]: {},
+      [PermissionTypes.REMOTE_AGENTS]: {},
     },
   },
 });
diff --git a/packages/data-provider/src/schemas.ts b/packages/data-provider/src/schemas.ts
index a3378d33405c..d4c474026751 100644
--- a/packages/data-provider/src/schemas.ts
+++ b/packages/data-provider/src/schemas.ts
@@ -225,6 +225,7 @@ export const defaultAgentFormValues = {
   model: '',
   model_parameters: {},
   tools: [],
+  tool_options: {},
   provider: {},
   projectIds: [],
   edges: [],
diff --git a/packages/data-provider/src/types.ts b/packages/data-provider/src/types.ts
index d9050a07f035..2190b2cfe18b 100644
--- a/packages/data-provider/src/types.ts
+++ b/packages/data-provider/src/types.ts
@@ -235,6 +235,33 @@ export type TUpdateUserKeyRequest = {
   expiresAt: string;
 };
 
+export type TAgentApiKeyCreateRequest = {
+  name: string;
+  expiresAt?: string | null;
+};
+
+export type TAgentApiKeyCreateResponse = {
+  id: string;
+  name: string;
+  key: string;
+  keyPrefix: string;
+  createdAt: string;
+  expiresAt?: string;
+};
+
+export type TAgentApiKeyListItem = {
+  id: string;
+  name: string;
+  keyPrefix: string;
+  lastUsedAt?: string;
+  expiresAt?: string;
+  createdAt: string;
+};
+
+export type TAgentApiKeyListResponse = {
+  keys: TAgentApiKeyListItem[];
+};
+
 export type TUpdateConversationRequest = {
   conversationId: string;
   title: string;
diff --git a/packages/data-provider/src/types/assistants.ts b/packages/data-provider/src/types/assistants.ts
index da773071e777..8865767240dd 100644
--- a/packages/data-provider/src/types/assistants.ts
+++ b/packages/data-provider/src/types/assistants.ts
@@ -206,6 +206,38 @@ export type SupportContact = {
   email?: string;
 };
 
+/**
+ * Specifies who can invoke a tool.
+ * - 'direct': LLM can call directly
+ * - 'code_execution': Only callable via programmatic tool calling (PTC)
+ */
+export type AllowedCaller = 'direct' | 'code_execution';
+
+/**
+ * Per-tool configuration options stored at the agent level.
+ * Keyed by tool_id (e.g., "search_mcp_github").
+ */
+export type ToolOptions = {
+  /**
+   * If true, the tool uses deferred loading (discoverable via tool search).
+   * @default false
+   */
+  defer_loading?: boolean;
+  /**
+   * Specifies who can invoke this tool.
+   * - 'direct': LLM can call directly (default behavior)
+   * - 'code_execution': Only callable via PTC sandbox
+   * @default ['direct']
+   */
+  allowed_callers?: AllowedCaller[];
+};
+
+/**
+ * Map of tool_id to its configuration options.
+ * Used to customize tool behavior per agent.
+ */
+export type AgentToolOptions = Record<string, ToolOptions>;
+
 export type Agent = {
   _id?: string;
   id: string;
@@ -241,6 +273,8 @@ export type Agent = {
   version?: number;
   category?: string;
   support_contact?: SupportContact;
+  /** Per-tool configuration options (deferred loading, allowed callers, etc.) */
+  tool_options?: AgentToolOptions;
 };
 
 export type TAgentsMap = Record<string, Agent | undefined>;
@@ -265,6 +299,7 @@ export type AgentCreateParams = {
   | 'recursion_limit'
   | 'category'
   | 'support_contact'
+  | 'tool_options'
 >;
 
 export type AgentUpdateParams = {
@@ -291,6 +326,7 @@ export type AgentUpdateParams = {
   | 'recursion_limit'
   | 'category'
   | 'support_contact'
+  | 'tool_options'
 >;
 
 export type AgentListParams = {
diff --git a/packages/data-provider/src/types/mutations.ts b/packages/data-provider/src/types/mutations.ts
index 1a7211edfaf7..15f0cd23296e 100644
--- a/packages/data-provider/src/types/mutations.ts
+++ b/packages/data-provider/src/types/mutations.ts
@@ -313,6 +313,15 @@ export type UpdateMCPServersPermOptions = MutationOptions<
   types.TError | null | undefined
 >;
 
+export type UpdateRemoteAgentsPermVars = UpdatePermVars<p.TRemoteAgentsPermissions>;
+
+export type UpdateRemoteAgentsPermOptions = MutationOptions<
+  UpdatePermResponse,
+  UpdateRemoteAgentsPermVars,
+  unknown,
+  types.TError | null | undefined
+>;
+
 export type UpdateMarketplacePermVars = UpdatePermVars<p.TMarketplacePermissions>;
 
 export type UpdateMarketplacePermOptions = MutationOptions<
diff --git a/packages/data-schemas/src/methods/accessRole.spec.ts b/packages/data-schemas/src/methods/accessRole.spec.ts
index b0f7ba70efcc..6919e6c7dfe9 100644
--- a/packages/data-schemas/src/methods/accessRole.spec.ts
+++ b/packages/data-schemas/src/methods/accessRole.spec.ts
@@ -203,6 +203,9 @@ describe('AccessRole Model Tests', () => {
           AccessRoleIds.MCPSERVER_EDITOR,
           AccessRoleIds.MCPSERVER_OWNER,
           AccessRoleIds.MCPSERVER_VIEWER,
+          AccessRoleIds.REMOTE_AGENT_EDITOR,
+          AccessRoleIds.REMOTE_AGENT_OWNER,
+          AccessRoleIds.REMOTE_AGENT_VIEWER,
         ].sort(),
       );
 
diff --git a/packages/data-schemas/src/methods/accessRole.ts b/packages/data-schemas/src/methods/accessRole.ts
index 0971c0f9e854..ab2cffbad88f 100644
--- a/packages/data-schemas/src/methods/accessRole.ts
+++ b/packages/data-schemas/src/methods/accessRole.ts
@@ -167,6 +167,27 @@ export function createAccessRoleMethods(mongoose: typeof import('mongoose')) {
         resourceType: ResourceType.MCPSERVER,
         permBits: RoleBits.OWNER,
       },
+      {
+        accessRoleId: AccessRoleIds.REMOTE_AGENT_VIEWER,
+        name: 'com_ui_remote_agent_role_viewer',
+        description: 'com_ui_remote_agent_role_viewer_desc',
+        resourceType: ResourceType.REMOTE_AGENT,
+        permBits: RoleBits.VIEWER,
+      },
+      {
+        accessRoleId: AccessRoleIds.REMOTE_AGENT_EDITOR,
+        name: 'com_ui_remote_agent_role_editor',
+        description: 'com_ui_remote_agent_role_editor_desc',
+        resourceType: ResourceType.REMOTE_AGENT,
+        permBits: RoleBits.EDITOR,
+      },
+      {
+        accessRoleId: AccessRoleIds.REMOTE_AGENT_OWNER,
+        name: 'com_ui_remote_agent_role_owner',
+        description: 'com_ui_remote_agent_role_owner_desc',
+        resourceType: ResourceType.REMOTE_AGENT,
+        permBits: RoleBits.OWNER,
+      },
     ];
 
     const result: Record<string, IAccessRole> = {};
diff --git a/packages/data-schemas/src/methods/agentApiKey.ts b/packages/data-schemas/src/methods/agentApiKey.ts
new file mode 100644
index 000000000000..3462f9ff8438
--- /dev/null
+++ b/packages/data-schemas/src/methods/agentApiKey.ts
@@ -0,0 +1,164 @@
+import type { Types } from 'mongoose';
+import type {
+  AgentApiKeyCreateResult,
+  AgentApiKeyCreateData,
+  AgentApiKeyListItem,
+  IAgentApiKey,
+} from '~/types';
+import { hashToken, getRandomValues } from '~/crypto';
+import logger from '~/config/winston';
+
+const API_KEY_PREFIX = 'sk-';
+const API_KEY_LENGTH = 32;
+
+export function createAgentApiKeyMethods(mongoose: typeof import('mongoose')) {
+  async function generateApiKey(): Promise<{ key: string; keyHash: string; keyPrefix: string }> {
+    const randomPart = await getRandomValues(API_KEY_LENGTH);
+    const key = `${API_KEY_PREFIX}${randomPart}`;
+    const keyHash = await hashToken(key);
+    const keyPrefix = key.slice(0, 8);
+    return { key, keyHash, keyPrefix };
+  }
+
+  async function createAgentApiKey(data: AgentApiKeyCreateData): Promise<AgentApiKeyCreateResult> {
+    try {
+      const AgentApiKey = mongoose.models.AgentApiKey;
+      const { key, keyHash, keyPrefix } = await generateApiKey();
+
+      const apiKeyDoc = await AgentApiKey.create({
+        userId: data.userId,
+        name: data.name,
+        keyHash,
+        keyPrefix,
+        expiresAt: data.expiresAt || undefined,
+      });
+
+      return {
+        id: apiKeyDoc._id.toString(),
+        name: apiKeyDoc.name,
+        keyPrefix,
+        key,
+        createdAt: apiKeyDoc.createdAt,
+        expiresAt: apiKeyDoc.expiresAt,
+      };
+    } catch (error) {
+      logger.error('[createAgentApiKey] Error creating API key:', error);
+      throw error;
+    }
+  }
+
+  async function validateAgentApiKey(
+    apiKey: string,
+  ): Promise<{ userId: Types.ObjectId; keyId: Types.ObjectId } | null> {
+    try {
+      const AgentApiKey = mongoose.models.AgentApiKey;
+      const keyHash = await hashToken(apiKey);
+
+      const keyDoc = (await AgentApiKey.findOne({ keyHash }).lean()) as IAgentApiKey | null;
+
+      if (!keyDoc) {
+        return null;
+      }
+
+      if (keyDoc.expiresAt && new Date(keyDoc.expiresAt) < new Date()) {
+        return null;
+      }
+
+      await AgentApiKey.updateOne({ _id: keyDoc._id }, { $set: { lastUsedAt: new Date() } });
+
+      return {
+        userId: keyDoc.userId,
+        keyId: keyDoc._id as Types.ObjectId,
+      };
+    } catch (error) {
+      logger.error('[validateAgentApiKey] Error validating API key:', error);
+      return null;
+    }
+  }
+
+  async function listAgentApiKeys(userId: string | Types.ObjectId): Promise<AgentApiKeyListItem[]> {
+    try {
+      const AgentApiKey = mongoose.models.AgentApiKey;
+      const keys = (await AgentApiKey.find({ userId })
+        .sort({ createdAt: -1 })
+        .lean()) as unknown as IAgentApiKey[];
+
+      return keys.map((key) => ({
+        id: (key._id as Types.ObjectId).toString(),
+        name: key.name,
+        keyPrefix: key.keyPrefix,
+        lastUsedAt: key.lastUsedAt,
+        expiresAt: key.expiresAt,
+        createdAt: key.createdAt,
+      }));
+    } catch (error) {
+      logger.error('[listAgentApiKeys] Error listing API keys:', error);
+      throw error;
+    }
+  }
+
+  async function deleteAgentApiKey(
+    keyId: string | Types.ObjectId,
+    userId: string | Types.ObjectId,
+  ): Promise<boolean> {
+    try {
+      const AgentApiKey = mongoose.models.AgentApiKey;
+      const result = await AgentApiKey.deleteOne({ _id: keyId, userId });
+      return result.deletedCount > 0;
+    } catch (error) {
+      logger.error('[deleteAgentApiKey] Error deleting API key:', error);
+      throw error;
+    }
+  }
+
+  async function deleteAllAgentApiKeys(userId: string | Types.ObjectId): Promise<number> {
+    try {
+      const AgentApiKey = mongoose.models.AgentApiKey;
+      const result = await AgentApiKey.deleteMany({ userId });
+      return result.deletedCount;
+    } catch (error) {
+      logger.error('[deleteAllAgentApiKeys] Error deleting all API keys:', error);
+      throw error;
+    }
+  }
+
+  async function getAgentApiKeyById(
+    keyId: string | Types.ObjectId,
+    userId: string | Types.ObjectId,
+  ): Promise<AgentApiKeyListItem | null> {
+    try {
+      const AgentApiKey = mongoose.models.AgentApiKey;
+      const keyDoc = (await AgentApiKey.findOne({
+        _id: keyId,
+        userId,
+      }).lean()) as IAgentApiKey | null;
+
+      if (!keyDoc) {
+        return null;
+      }
+
+      return {
+        id: (keyDoc._id as Types.ObjectId).toString(),
+        name: keyDoc.name,
+        keyPrefix: keyDoc.keyPrefix,
+        lastUsedAt: keyDoc.lastUsedAt,
+        expiresAt: keyDoc.expiresAt,
+        createdAt: keyDoc.createdAt,
+      };
+    } catch (error) {
+      logger.error('[getAgentApiKeyById] Error getting API key:', error);
+      throw error;
+    }
+  }
+
+  return {
+    createAgentApiKey,
+    validateAgentApiKey,
+    listAgentApiKeys,
+    deleteAgentApiKey,
+    deleteAllAgentApiKeys,
+    getAgentApiKeyById,
+  };
+}
+
+export type AgentApiKeyMethods = ReturnType<typeof createAgentApiKeyMethods>;
diff --git a/packages/data-schemas/src/methods/file.spec.ts b/packages/data-schemas/src/methods/file.spec.ts
index 5cf51684ac7e..390b6a8f5c27 100644
--- a/packages/data-schemas/src/methods/file.spec.ts
+++ b/packages/data-schemas/src/methods/file.spec.ts
@@ -130,7 +130,7 @@ describe('File Methods', () => {
 
       const files = await fileMethods.getFiles({ user: userId });
       expect(files).toHaveLength(3);
-      expect(files.map((f) => f.file_id)).toEqual(expect.arrayContaining(fileIds));
+      expect(files!.map((f) => f.file_id)).toEqual(expect.arrayContaining(fileIds));
     });
 
     it('should exclude text field by default', async () => {
@@ -149,7 +149,7 @@ describe('File Methods', () => {
 
       const files = await fileMethods.getFiles({ file_id: fileId });
       expect(files).toHaveLength(1);
-      expect(files[0].text).toBeUndefined();
+      expect(files![0].text).toBeUndefined();
     });
   });
 
@@ -207,7 +207,7 @@ describe('File Methods', () => {
       expect(files[0].file_id).toBe(contextFileId);
     });
 
-    it('should retrieve files for execute_code tool', async () => {
+    it('should not retrieve execute_code files (handled by getCodeGeneratedFiles)', async () => {
       const userId = new mongoose.Types.ObjectId();
       const codeFileId = uuidv4();
 
@@ -218,14 +218,16 @@ describe('File Methods', () => {
         filepath: '/uploads/code.py',
         type: 'text/x-python',
         bytes: 100,
+        context: FileContext.execute_code,
         metadata: { fileIdentifier: 'some-identifier' },
       });
 
+      // execute_code files are explicitly excluded from getToolFilesByIds
+      // They are retrieved via getCodeGeneratedFiles and getUserCodeFiles instead
       const toolSet = new Set([EToolResources.execute_code]);
       const files = await fileMethods.getToolFilesByIds([codeFileId], toolSet);
 
-      expect(files).toHaveLength(1);
-      expect(files[0].file_id).toBe(codeFileId);
+      expect(files).toHaveLength(0);
     });
   });
 
@@ -490,7 +492,7 @@ describe('File Methods', () => {
 
       const remaining = await fileMethods.getFiles({});
       expect(remaining).toHaveLength(1);
-      expect(remaining[0].user?.toString()).toBe(otherUserId.toString());
+      expect(remaining![0].user?.toString()).toBe(otherUserId.toString());
     });
   });
 
diff --git a/packages/data-schemas/src/methods/file.ts b/packages/data-schemas/src/methods/file.ts
index 5ea27aeb6cfb..751f23f5c0e2 100644
--- a/packages/data-schemas/src/methods/file.ts
+++ b/packages/data-schemas/src/methods/file.ts
@@ -47,7 +47,8 @@ export function createFileMethods(mongoose: typeof import('mongoose')) {
   }
 
   /**
-   * Retrieves tool files (files that are embedded or have a fileIdentifier) from an array of file IDs
+   * Retrieves tool files (files that are embedded or have a fileIdentifier) from an array of file IDs.
+   * Note: execute_code files are handled separately by getCodeGeneratedFiles.
    * @param fileIds - Array of file_id strings to search for
    * @param toolResourceSet - Optional filter for tool resources
    * @returns Files that match the criteria
@@ -61,21 +62,26 @@ export function createFileMethods(mongoose: typeof import('mongoose')) {
     }
 
     try {
-      const filter: FilterQuery<IMongoFile> = {
-        file_id: { $in: fileIds },
-        $or: [],
-      };
+      const orConditions: FilterQuery<IMongoFile>[] = [];
 
       if (toolResourceSet.has(EToolResources.context)) {
-        filter.$or?.push({ text: { $exists: true, $ne: null }, context: FileContext.agents });
+        orConditions.push({ text: { $exists: true, $ne: null }, context: FileContext.agents });
       }
       if (toolResourceSet.has(EToolResources.file_search)) {
-        filter.$or?.push({ embedded: true });
+        orConditions.push({ embedded: true });
       }
-      if (toolResourceSet.has(EToolResources.execute_code)) {
-        filter.$or?.push({ 'metadata.fileIdentifier': { $exists: true } });
+
+      // If no conditions to match, return empty
+      if (orConditions.length === 0) {
+        return [];
       }
 
+      const filter: FilterQuery<IMongoFile> = {
+        file_id: { $in: fileIds },
+        context: { $ne: FileContext.execute_code },
+        $or: orConditions,
+      };
+
       const selectFields: SelectProjection = { text: 0 };
       const sortOptions = { updatedAt: -1 as SortOrder };
 
@@ -87,6 +93,84 @@ export function createFileMethods(mongoose: typeof import('mongoose')) {
     }
   }
 
+  /**
+   * Retrieves files generated by code execution for a given conversation.
+   * These files are stored locally with fileIdentifier metadata for code env re-upload.
+   *
+   * @param conversationId - The conversation ID to search for
+   * @param messageIds - Array of messageIds to filter by (for linear thread filtering).
+   *   While technically optional, this function returns empty if not provided.
+   *   This is intentional: code-generated files must be filtered by thread to avoid
+   *   including files from other branches of a conversation.
+   * @returns Files generated by code execution in the conversation, filtered by messageIds
+   */
+  async function getCodeGeneratedFiles(
+    conversationId: string,
+    messageIds?: string[],
+  ): Promise<IMongoFile[]> {
+    if (!conversationId) {
+      return [];
+    }
+
+    /**
+     * Return early if messageIds not provided - this is intentional behavior.
+     * Code-generated files must be filtered by thread messageIds to ensure we only
+     * return files relevant to the current conversation branch, not orphaned files
+     * from other branches or deleted messages.
+     */
+    if (!messageIds || messageIds.length === 0) {
+      return [];
+    }
+
+    try {
+      const filter: FilterQuery<IMongoFile> = {
+        conversationId,
+        context: FileContext.execute_code,
+        messageId: { $exists: true, $in: messageIds },
+        'metadata.fileIdentifier': { $exists: true },
+      };
+
+      const selectFields: SelectProjection = { text: 0 };
+      const sortOptions = { createdAt: 1 as SortOrder };
+
+      const results = await getFiles(filter, sortOptions, selectFields);
+      return results ?? [];
+    } catch (error) {
+      logger.error('[getCodeGeneratedFiles] Error retrieving code generated files:', error);
+      return [];
+    }
+  }
+
+  /**
+   * Retrieves user-uploaded execute_code files (not code-generated) by their file IDs.
+   * These are files with fileIdentifier metadata but context is NOT execute_code (e.g., agents or message_attachment).
+   * File IDs should be collected from message.files arrays in the current thread.
+   * @param fileIds - Array of file IDs to fetch (from message.files in the thread)
+   * @returns User-uploaded execute_code files
+   */
+  async function getUserCodeFiles(fileIds?: string[]): Promise<IMongoFile[]> {
+    if (!fileIds || fileIds.length === 0) {
+      return [];
+    }
+
+    try {
+      const filter: FilterQuery<IMongoFile> = {
+        file_id: { $in: fileIds },
+        context: { $ne: FileContext.execute_code },
+        'metadata.fileIdentifier': { $exists: true },
+      };
+
+      const selectFields: SelectProjection = { text: 0 };
+      const sortOptions = { createdAt: 1 as SortOrder };
+
+      const results = await getFiles(filter, sortOptions, selectFields);
+      return results ?? [];
+    } catch (error) {
+      logger.error('[getUserCodeFiles] Error retrieving user code files:', error);
+      return [];
+    }
+  }
+
   /**
    * Creates a new file with a TTL of 1 hour.
    * @param data - The file data to be created, must contain file_id
@@ -258,6 +342,8 @@ export function createFileMethods(mongoose: typeof import('mongoose')) {
     findFileById,
     getFiles,
     getToolFilesByIds,
+    getCodeGeneratedFiles,
+    getUserCodeFiles,
     createFile,
     updateFile,
     updateFileUsage,
diff --git a/packages/data-schemas/src/methods/index.ts b/packages/data-schemas/src/methods/index.ts
index b6f1be64e912..2f20b67fec46 100644
--- a/packages/data-schemas/src/methods/index.ts
+++ b/packages/data-schemas/src/methods/index.ts
@@ -10,6 +10,8 @@ import { createFileMethods, type FileMethods } from './file';
 import { createMemoryMethods, type MemoryMethods } from './memory';
 /* Agent Categories */
 import { createAgentCategoryMethods, type AgentCategoryMethods } from './agentCategory';
+/* Agent API Keys */
+import { createAgentApiKeyMethods, type AgentApiKeyMethods } from './agentApiKey';
 /* MCP Servers */
 import { createMCPServerMethods, type MCPServerMethods } from './mcpServer';
 /* Plugin Auth */
@@ -28,6 +30,7 @@ export type AllMethods = UserMethods &
   FileMethods &
   MemoryMethods &
   AgentCategoryMethods &
+  AgentApiKeyMethods &
   MCPServerMethods &
   UserGroupMethods &
   AclEntryMethods &
@@ -49,6 +52,7 @@ export function createMethods(mongoose: typeof import('mongoose')): AllMethods {
     ...createFileMethods(mongoose),
     ...createMemoryMethods(mongoose),
     ...createAgentCategoryMethods(mongoose),
+    ...createAgentApiKeyMethods(mongoose),
     ...createMCPServerMethods(mongoose),
     ...createAccessRoleMethods(mongoose),
     ...createUserGroupMethods(mongoose),
@@ -67,6 +71,7 @@ export type {
   FileMethods,
   MemoryMethods,
   AgentCategoryMethods,
+  AgentApiKeyMethods,
   MCPServerMethods,
   UserGroupMethods,
   AclEntryMethods,
diff --git a/packages/data-schemas/src/models/agentApiKey.ts b/packages/data-schemas/src/models/agentApiKey.ts
new file mode 100644
index 000000000000..70387a2cef7f
--- /dev/null
+++ b/packages/data-schemas/src/models/agentApiKey.ts
@@ -0,0 +1,7 @@
+import agentApiKeySchema, { IAgentApiKey } from '~/schema/agentApiKey';
+
+export function createAgentApiKeyModel(mongoose: typeof import('mongoose')) {
+  return (
+    mongoose.models.AgentApiKey || mongoose.model<IAgentApiKey>('AgentApiKey', agentApiKeySchema)
+  );
+}
diff --git a/packages/data-schemas/src/models/index.ts b/packages/data-schemas/src/models/index.ts
index 45516d5a7cb8..ca1a6259be48 100644
--- a/packages/data-schemas/src/models/index.ts
+++ b/packages/data-schemas/src/models/index.ts
@@ -5,6 +5,7 @@ import { createBalanceModel } from './balance';
 import { createConversationModel } from './convo';
 import { createMessageModel } from './message';
 import { createAgentModel } from './agent';
+import { createAgentApiKeyModel } from './agentApiKey';
 import { createAgentCategoryModel } from './agentCategory';
 import { createMCPServerModel } from './mcpServer';
 import { createRoleModel } from './role';
@@ -39,6 +40,7 @@ export function createModels(mongoose: typeof import('mongoose')) {
     Conversation: createConversationModel(mongoose),
     Message: createMessageModel(mongoose),
     Agent: createAgentModel(mongoose),
+    AgentApiKey: createAgentApiKeyModel(mongoose),
     AgentCategory: createAgentCategoryModel(mongoose),
     MCPServer: createMCPServerModel(mongoose),
     Role: createRoleModel(mongoose),
diff --git a/packages/data-schemas/src/schema/accessRole.ts b/packages/data-schemas/src/schema/accessRole.ts
index 082c28a5f018..52f9e796c05d 100644
--- a/packages/data-schemas/src/schema/accessRole.ts
+++ b/packages/data-schemas/src/schema/accessRole.ts
@@ -16,7 +16,7 @@ const accessRoleSchema = new Schema<IAccessRole>(
     description: String,
     resourceType: {
       type: String,
-      enum: ['agent', 'project', 'file', 'promptGroup', 'mcpServer'],
+      enum: ['agent', 'project', 'file', 'promptGroup', 'mcpServer', 'remoteAgent'],
       required: true,
       default: 'agent',
     },
diff --git a/packages/data-schemas/src/schema/agent.ts b/packages/data-schemas/src/schema/agent.ts
index 51739f552a06..32bba8bef825 100644
--- a/packages/data-schemas/src/schema/agent.ts
+++ b/packages/data-schemas/src/schema/agent.ts
@@ -118,6 +118,11 @@ const agentSchema = new Schema<IAgent>(
       default: [],
       index: true,
     },
+    /** Per-tool configuration (defer_loading, allowed_callers) */
+    tool_options: {
+      type: Schema.Types.Mixed,
+      default: undefined,
+    },
   },
   {
     timestamps: true,
diff --git a/packages/data-schemas/src/schema/agentApiKey.ts b/packages/data-schemas/src/schema/agentApiKey.ts
new file mode 100644
index 000000000000..d7037f857f14
--- /dev/null
+++ b/packages/data-schemas/src/schema/agentApiKey.ts
@@ -0,0 +1,59 @@
+import mongoose, { Schema, Document, Types } from 'mongoose';
+
+export interface IAgentApiKey extends Document {
+  userId: Types.ObjectId;
+  name: string;
+  keyHash: string;
+  keyPrefix: string;
+  lastUsedAt?: Date;
+  expiresAt?: Date;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
+const agentApiKeySchema: Schema<IAgentApiKey> = new Schema(
+  {
+    userId: {
+      type: mongoose.Schema.Types.ObjectId,
+      ref: 'User',
+      required: true,
+      index: true,
+    },
+    name: {
+      type: String,
+      required: true,
+      trim: true,
+      maxlength: 100,
+    },
+    keyHash: {
+      type: String,
+      required: true,
+      select: false,
+      index: true,
+    },
+    keyPrefix: {
+      type: String,
+      required: true,
+      index: true,
+    },
+    lastUsedAt: {
+      type: Date,
+    },
+    expiresAt: {
+      type: Date,
+    },
+  },
+  { timestamps: true },
+);
+
+agentApiKeySchema.index({ userId: 1, name: 1 });
+
+/**
+ * TTL index for automatic cleanup of expired keys.
+ * MongoDB deletes documents when expiresAt passes (expireAfterSeconds: 0 means immediate).
+ * Note: Expired keys are permanently removed, not soft-deleted.
+ * If audit trails are needed, remove this index and check expiration programmatically.
+ */
+agentApiKeySchema.index({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+
+export default agentApiKeySchema;
diff --git a/packages/data-schemas/src/schema/file.ts b/packages/data-schemas/src/schema/file.ts
index 5bf4d95d876e..d39672f1eae9 100644
--- a/packages/data-schemas/src/schema/file.ts
+++ b/packages/data-schemas/src/schema/file.ts
@@ -15,6 +15,10 @@ const file: Schema<IMongoFile> = new Schema(
       ref: 'Conversation',
       index: true,
     },
+    messageId: {
+      type: String,
+      index: true,
+    },
     file_id: {
       type: String,
       index: true,
diff --git a/packages/data-schemas/src/schema/index.ts b/packages/data-schemas/src/schema/index.ts
index 2d94db530156..454780b8bf38 100644
--- a/packages/data-schemas/src/schema/index.ts
+++ b/packages/data-schemas/src/schema/index.ts
@@ -1,5 +1,6 @@
 export { default as actionSchema } from './action';
 export { default as agentSchema } from './agent';
+export { default as agentApiKeySchema } from './agentApiKey';
 export { default as agentCategorySchema } from './agentCategory';
 export { default as assistantSchema } from './assistant';
 export { default as balanceSchema } from './balance';
diff --git a/packages/data-schemas/src/schema/role.ts b/packages/data-schemas/src/schema/role.ts
index 3ac0a7f8a2e5..e4821ba4053f 100644
--- a/packages/data-schemas/src/schema/role.ts
+++ b/packages/data-schemas/src/schema/role.ts
@@ -61,6 +61,12 @@ const rolePermissionsSchema = new Schema(
       [Permissions.SHARE]: { type: Boolean },
       [Permissions.SHARE_PUBLIC]: { type: Boolean },
     },
+    [PermissionTypes.REMOTE_AGENTS]: {
+      [Permissions.USE]: { type: Boolean },
+      [Permissions.CREATE]: { type: Boolean },
+      [Permissions.SHARE]: { type: Boolean },
+      [Permissions.SHARE_PUBLIC]: { type: Boolean },
+    },
   },
   { _id: false },
 );
diff --git a/packages/data-schemas/src/types/agent.ts b/packages/data-schemas/src/types/agent.ts
index b150b2ec3f09..3549e88b4a45 100644
--- a/packages/data-schemas/src/types/agent.ts
+++ b/packages/data-schemas/src/types/agent.ts
@@ -1,5 +1,5 @@
 import { Document, Types } from 'mongoose';
-import type { GraphEdge } from 'librechat-data-provider';
+import type { GraphEdge, AgentToolOptions } from 'librechat-data-provider';
 
 export interface ISupportContact {
   name?: string;
@@ -42,4 +42,6 @@ export interface IAgent extends Omit<Document, 'model'> {
   is_promoted?: boolean;
   /** MCP server names extracted from tools for efficient querying */
   mcpServerNames?: string[];
+  /** Per-tool configuration (defer_loading, allowed_callers) */
+  tool_options?: AgentToolOptions;
 }
diff --git a/packages/data-schemas/src/types/agentApiKey.ts b/packages/data-schemas/src/types/agentApiKey.ts
new file mode 100644
index 000000000000..968937a717af
--- /dev/null
+++ b/packages/data-schemas/src/types/agentApiKey.ts
@@ -0,0 +1,46 @@
+import { Document, Types } from 'mongoose';
+
+export interface IAgentApiKey extends Document {
+  userId: Types.ObjectId;
+  name: string;
+  keyHash: string;
+  keyPrefix: string;
+  lastUsedAt?: Date;
+  expiresAt?: Date;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
+export interface AgentApiKeyCreateData {
+  userId: Types.ObjectId | string;
+  name: string;
+  expiresAt?: Date | null;
+}
+
+export interface AgentApiKeyCreateResult {
+  id: string;
+  name: string;
+  keyPrefix: string;
+  key: string;
+  createdAt: Date;
+  expiresAt?: Date;
+}
+
+export interface AgentApiKeyListItem {
+  id: string;
+  name: string;
+  keyPrefix: string;
+  lastUsedAt?: Date;
+  expiresAt?: Date;
+  createdAt: Date;
+}
+
+export interface AgentApiKeyQuery {
+  userId?: Types.ObjectId | string;
+  keyPrefix?: string;
+  id?: string;
+}
+
+export interface AgentApiKeyDeleteResult {
+  deletedCount?: number;
+}
diff --git a/packages/data-schemas/src/types/file.ts b/packages/data-schemas/src/types/file.ts
index 231ab9333298..8f17e3b597e5 100644
--- a/packages/data-schemas/src/types/file.ts
+++ b/packages/data-schemas/src/types/file.ts
@@ -3,6 +3,7 @@ import { Document, Types } from 'mongoose';
 export interface IMongoFile extends Omit<Document, 'model'> {
   user: Types.ObjectId;
   conversationId?: string;
+  messageId?: string;
   file_id: string;
   temp_file_id?: string;
   bytes: number;
diff --git a/packages/data-schemas/src/types/index.ts b/packages/data-schemas/src/types/index.ts
index 828cdf9c8f08..38f9f22b502c 100644
--- a/packages/data-schemas/src/types/index.ts
+++ b/packages/data-schemas/src/types/index.ts
@@ -10,6 +10,7 @@ export * from './balance';
 export * from './banner';
 export * from './message';
 export * from './agent';
+export * from './agentApiKey';
 export * from './agentCategory';
 export * from './role';
 export * from './action';
diff --git a/packages/data-schemas/src/types/role.ts b/packages/data-schemas/src/types/role.ts
index fc6340da2c58..e70e29204af0 100644
--- a/packages/data-schemas/src/types/role.ts
+++ b/packages/data-schemas/src/types/role.ts
@@ -59,6 +59,12 @@ export interface IRole extends Document {
       [Permissions.SHARE]?: boolean;
       [Permissions.SHARE_PUBLIC]?: boolean;
     };
+    [PermissionTypes.REMOTE_AGENTS]?: {
+      [Permissions.USE]?: boolean;
+      [Permissions.CREATE]?: boolean;
+      [Permissions.SHARE]?: boolean;
+      [Permissions.SHARE_PUBLIC]?: boolean;
+    };
   };
 }